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(54) Data transmission, reception, encryption, decryption and recording 



(57) A hash function and a service key are stored in 
advance in an EEPROM of a DVD player serving as a 
source. In an EEPROM of a personal computer (PC) 
serving as a sink, on the other hand, its ID and a license 
key are stored beforehand. The DVD player requests 
the PC to transmit the ID. The DVD player then applies 
the hash function to data resulting from concatenation . 
of the ID with the service key to generate a license key 



(= hash (I D I! service key)). Subsequently, the DVD play- 
er generates a source side session key and encrypts 
the session key by using the generated license key. 
Then, the DVD player transmits the encrypted source 
side session key to the PC. The PC decrypts the en- 
crypted source side session key by using the license key 
stored in its EEPROM to produce a sink side session 
key which has a value equal to that of the source side 
session key. 
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Description 

The present invention relates to a data transmission apparatus and method, a data reception apparatus and meth- 
od, an encryption method and apparatus, a decryption apparatus and method and a recording medium. 
5 I llustrative embodiments of the invention relate to such apparatus, methods and recording medium that allow data 

to be exchanged with a higher degree of security. 

In recent years, there has been proposed a system comprising pieces of electronic equipment such as AV appa- 
ratuses and personal computers connected to each other by typically IEEE1394 serial buses wherein data can be 
exchanged among the pieces of equipment. 
10 In such a system, for example, the ordinary user can play back movie information by using a DVD (Digital Video 

Disc) player and transmit the movie information to a monitor through the 1394 serial bus to display it on the monitor. 
. The conduct done by the user to display the movie information is automatically permitted by the author of the movie 
information normally through a license which was obtained when the user purchased the DVD of the movie information. 
In order to do a conduct to copy the movie information played back from the DVD player to another recording medium 
is . such as an optical magnetic disc, however, it is necessary for the user to obtain a special permission from the author 
of the movie information. In the case of a copy license, typically, the optical magnetic disc apparatus is also used to 
-store a key for indicating whether or not recording movie information into an optical magnetic disc mounted on the 
apparatus is allowed. That is to say : the key is used for forming a judgment as to whether or not the optical magnetic 
disc apparatus is a valid apparatus, that is, an apparatus licensed by the author of the movie information. If the optical 
20 - magnetic disc apparatus is authenticated as a valid apparatus, the act to record the movie information into the apparatus 
can be judged to be a permitted conduct. 

In such a case, it is necessary to verify that the destination apparatus is a valid apparatus in a transfer of information 
from an apparatus transmitting the information to an apparatus receiving the information, that is, the destination ap- 
paratus. It should be noted that the information transmitting apparatus and the information receiving apparatus are 
25 referred to hereafter as a source and a sink respectively. 

Fig. 32 is a diagram showing the ordinary method for authenticating a destination apparatus. As shown in the 
figure, the source and the sink are each given a predetermined function f in advance by the author. Stored in a memory 
of each of the source and sink, the function f is difficult to identify from its input and output. In addition, it is difficult for 
a person who does not know the function f to infer an output produced by the function f from an input to the function 
30 f. The function f is provided to and stored in only an apparatus licensed by the author 

The source generates a random number r and transmits the number r to the sink through a 1394 serial bus. The 
source also applies the function f to the random number r, generating a number x (= f(r)). 

Receiving the random number r from the source, the sink applies the function f to the random number r, generating 
a number y (= f(r)). The sink then transmits the number y to the source. 
35 The source compares the calculated number x with the number y received from the sink to form a judgment as to 

whether or not the former is equal to the latter (x = y). If the number x is found equal to the number y, the source judges 
the sink to be a valid apparatus. In this case, movie information is encrypted by using a predetermined key before 
being transmitted to the sink. 

As the key, a value k generated by applying the function f to the number y received by the source from the sink f 
40 is used (k = f(y)). By the same token, the sink also applies the function f to the number y to generate the value k (= f 
(y)). The value k is then, on the contrary, used as a key for decrypting the encrypted movie information. 

In this method, however, it is necessary for all pieces of electronic equipment used as sources and sinks for trans- 
mitting and receiving information respectively to hold a uniform function f in strict confidence. 

As a result, when the function 1 held in a piece ol electronic is stolen by an unauthorized user, for example, the 
45 unauthorized user is capable of generating a key k by monitoring data exchanged by way of a 1 394 serial bus and is, 
hence, capable of interpreting or decrypting encrypted data. In this way, the unauthorized user is capable of illegally 
stealing information by posing as an authorized user using a desired piece of electronic equipment. 
Aspects of the invention are specified in the claims to which attention is invited. 

Illustrative embodiments of the present invention seek to further improve security of transmitted information by 
50 preventing an unauthorized user from posing as a authorized user using a desired piece of electronic equipment even 
if data required for encrypting or decrypting the information is stolen by the unauthorized user. 

The present invention will become more apparent and will hence be more readily appreciated as the same becomes 
better understood from a study of the following illustrative description of some preferred embodiments with reference 
to accompanying diagrams in which: 

55 

Fig. 1 is a block diagram showing a typical configuration of an information processing system to which an illustrative 
embodiment of the present invention is applied; 

Fig. 2 is a block diagram showing detailed typical configurations of a DVD player 1 , a personal computer 2 and an 
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optical magnetic disc apparatus 3 in the information processing system shown in Fig. 1 ; 
Fig. 3 is an explanatory diagram used for describing authentication processing; 

Fig. 4 is a diagram showing an embodiment implementing an authentication procedure for carrying out the au- 
thenticating processing shown in Fig. 3; 
s Fig. 5 is a diagram showing the format of a node unique ID; 

Fig. 6 is a diagram showing another embodiment implementing the authentication procedure; 

Fig. 7 is a diagram showing a further embodiment implementing the authentication procedure; 

Fig. 8 is a diagram showing a still further embodiment implementing the authentication procedure; 

Fig. 9 is a diagram showing still another embodiment implementing the authentication procedure; 
10 Fig. 10 is a block diagram showing an embodiment implementing an information processing system to which an 

illustrative embodiment of the present invention is applied wherein a source transmits encrypted data to a plurality 

of sinks; 

Fig. 11 is a block diagram showing a typical configuration of a 1 394 interface unit 26 employed in a DVD player 1 
serving as the source in the system shown in Fig. 10; 
is Fig. 12 is a block diagram showing a typical detailed configuration of the 1394 interface unit 26 shown in Fig. 11 ; 

Fig. 1 3 is a block diagram showing a typical detailed configuration of an LFSR 72 employed in the 1 394 interface 
unit 26 shown in Fig. 12; 

Fig. 14 is a block diagram showing a more concrete configuration of the LFSR 72 shown in Fig. 13; 
Fig. 1 5 is a block diagram showing a typical configuration of a 1 394 interface unit 36 employed in an optical magnetic 
20 disc apparatus 3 serving as a sink in the system shown in Fig. 10; 

Fig. 16 is a block diagram showing a typical detailed configuration of the 1394 interface unit 36 shown in Fig. 15; 
Fig. 17 is a block diagram showing a typical configuration of a 1394 interface unit 49 employed in a personal 
computer 2 serving as another sink in the system shown in Fig. 10; 

Fig. 18 is a block diagram showing a typical detailed configuration of the 1394 interface unit 49 shown in Fig. 17; 
2S Fig. 19 is a block diagram showing a typical configuration of an application module 61 employed in the personal 

computer 2 serving as the other sink in the system shown in Fig. 10; 

Fig. 20 is a block diagram showing a typical detailed configuration of the application module 61 shown in Fig. 19; 
Fig. 21 is a block diagram showing another typical detailed configuration of the 1394 interface unit 26 employed 
in the DVD player 1 serving as the source in the system shown in Fig. 10; 
30 Fig. 22 is a block diagram showing another typical detailed configuration of the 1394 interface unit 36 employed 

in the optical magnetic disc apparatus 3 serving as the sink in the system shown in Fig. 10; 
Fig. 23 is a block diagram showing another typical detailed configuration of the 1 394 interface unit 49 employed 
in the personal computer 2 serving as the other sink in the system shown in Fig. 10; 

Fig. 24 is a block diagram showing another typical configuration of the application module 61 employed in the 
35 personal computer 2 serving as the other sink in the system shown in Fig. 10; 

Fig. 25 is a diagram showing a still further embodiment implementing the authentication procedure; 

Fig. 26 is a diagram showing a continuation procedure to the authentication procedure shown in Fig. 25; 

Fig. 27 is a diagram showing an alternative continuation procedure to the authentication procedure shown in Fig. 25; 

Fig. 28 is a block diagram showing the configuration of another embodiment implementing an information process- 
40 ing system to which an illustrative embodiment of the present invention is applied wherein a source transmits 

encrypted data to a sink; 

Fig. 29 is a block diagram showing a random number generator 903 or 914 employed in the source or the sink 
respectively in the system shown in Fig. 28; 

Fig. 30 shows a flowchart representing operations carried out by a processing circuit 902 or 91 3 employed in the 
45 source or the sink respectively in the system shown in Fig. 28; 

Fig. 31 is a diagram showing a still further embodiment implementing the authentication procedure; and 
Fig. 32 is a diagram showing the ordinary authentication procedure. 

Fig. 1 is a block diagram showing a typical configuration of an information processing system to which an illustrative 
so embodiment of the present invention is applied. As shown in the figure, in the configuration, a DVD player 1 , a personal 
computer 2, an optical magnetic disc apparatus 3, a data broadcasting/receiving apparatus 4, a monitor 5 and a tele- 
vision receiver 6 are connected to each other by an IEEE 1394 serial bus 11. 

Fig. 2 is a block diagram showing detailed typical configurations of the DVD player 1 : the personal computer 2 and 
the optical magnetic disc apparatus 3 in the information processing system shown in Fig. 1 . The DVD player 1 comprises 
ss a CPU 21, a ROM unit 22, a RAM unit 23, an operation unit 24, a drive 25, a 1394 interface unit 26 and an EE PROM 
unit 27 which are connected to each other by an internal bus 28. As shown in the figure, the DVD player 1 is connected 
to the 1394 serial bus 11 through a 1394 interface unit 26. The CPU 21 carries out various kinds of processing by 
execution of a program stored in the ROM unit 22. The RAM unit 23 is used for properly storing information such as 
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data and the program which are required by the CPU 21 in carrying out the processing. The operation unit 24 comprises 
components such as buttons, switches and a remote controller. When the user operates the operation unit 24, a signal 
representing the operation is generated. The driver 25 drives a DVD which is not shown in the figure, playing back 
data recorded on the DVD. The EEPROM unit 27 is used for storing information which needs to be stored even after 

5 the power supply of the DVD player 1 is turned off. In the case of the present embodiment, an example of such infor- 
mation is an encryption /decryption key. The internal bus 28 is used for connecting the CPU 21 , the ROM unit 22, the 
RAM unit 23, the operation unit 24, the drive 25, the 1394 interface unit 26 and the EEPROM unit 27 to each other. 

Much like the DVD player 1 , the optical magnetic disc apparatus 3 comprises a CPU 31 , a ROM unit 32, a RAM 
unit 33, an operation unit 34, a drive 35, a 1 394 interface unit 36 and an EEPROM unit 37 which are connected to each 

io other by an internal bus 38. Since the CPU 31 to the internal bus 38 have the same functions of the CPU 21 to the 
internal bus 28 employed in the DVD player 1 respectively, their explanation is not repeated. The only exception is that 
the driver 35 drives an optical magnetic disc which is not shown in the figure instead of a DVD. The driver 35 records 
and plays back data into and from the optical magnetic disc. 

In addition to a CPU 41 , a ROM unit 42, a RAM unit 43, a 1394 interface unit 49 and an EEPROM unit 50 which 

15 are connected to each other by an internal bus 51 , the personal computer 2 also includes an input/output interface unit 
44, a keyboard 45, a mouse 46, an HDD (Hard Disc Drive) 47 and an expansion board 48. The personal computer 2 
is connected to the 1394 serial bus 11 through the 1394 interface unit 49. The CPU 41 carries out various kinds of 
processing by execution of a program stored in the ROM unit 42. The RAM unit 43 is used for property storing information 
such as data and the program which are required by the CPU 41 in carrying out the processing. Connected to the 

20 internal bus 51, the input/output interface unit 44 serves as an interface between the CPU 41 and the keyboard 45, 
the mouse 46, the HDD 47 and the expansion board 48. The input/output interface unit 44 passes on signals input 
from the keyboard 45 and the mouse 46 connected to the interface unit 44 to the CPU 41 by way of the internal bus 
51 . Connected to the HDD 47, the input/output interface unit 44 allows data and a program coming from the internal 
bus 51 to be stored into the HDD 47 and, on the contrary, data and a program stored in the HDD 47 to be read out and 

2S forwarded to the internal bus 51 . The expansion board 48 is connected to the input/output interface unit 44, if needed, 
allowing necessary functions to be added to the personal computer 2. The EEPROM unit 50 is used for storing infor- 
mation which needs to be stored even after the power supply of the personal computer 2 is turned off. In the case of 
the present embodiment, an example of such information is a variety of encryption/decryption keys. The internal bus 
51 is a local bus typically implemented by a PCI (Peripheral Component Interconnect) bus for connecting the CPU 41 , 

30 the ROM unit 42, the RAM unit 43, the 1 394 interface unit 49, the EEPROM unit 50 and the inputfoutput interface unit 
44 to each other. 

It should be noted that the internal bus 51 is designed in an architecture open to the user through the input/output 
interface unit 44. That is to say, the user is allowed to connect an additional board as an expansion board 48 to the 
input/output interface unit 44, if required, and to write a custom program for the additional board to be installed in the 
35 personal computer 2. The CPU 41 then executes the custom program, properly exchanging data with the expansion 
board 48 by way of the internal bus 51 in order to implement a desired function. 

In the case of a consumer electronic (CE) apparatus such as the DVD player 1 and the optical magnetic disc 
apparatus 3, on the contrary, their internal buses 28 and 38 are not designed in an architecture open to the user. Thus, 
the user is not capable of acquiring data transmitted by way of the internal bus 28 or 38 unless the internal bus 28 or 
40 38 is redesigned specially. 

The following is a description of processing of authentication of a sink carried out by a source with reference to 
Figs. 3 and 4. Fig. 3 is an explanatory diagram used for describing the authentication processing. As shown in the 
figure, the processing is typically carried out by firmware 20 stored as a program in advance in the ROM unit 22 
employed in the DVD player 1 serving as the source to authenticate a license manager 62 stored in the ROM unit 42 
45 to be executed as a program by the CPU 41 employed in the personal computer 2 serving as the sink. 

Fig. 4 is a diagram showing an embodiment implementing a procedure whereby the source implemented typically 
by the DVD player 1 authenticates the sink implemented typically by the personal computer 2 by allowing the sink to 
g enera te a sink side session key having the same value as a source side session key generated by the source only if 
the sink is a valid sink. In the EEPROM unit 27 employed in the DVD player 1 , a service key and a hash function are 
so stored in advance. The service key and the hash function are given by an author of information to the user of the DVD 
player 1 who has to keep them in the EEPROM unit 27 in strict confidence. 

The author provides the user with a service key for each piece of information created by the author. The service 
key is used as a key common to all apparatuses connected to each other by the 1394 serial bus 11 to compose a 
system. It should be noted that, in the present specification, the term system is used to imply the whole system com- 
55 prising a plurality of apparatuses. 

The hash function is used for transforming an input with an arbitrary length into output data with a fixed length 
such as 64 bits or 128 bits. Let the transformation be expressed by y = hash (x) where the symbol x is the input to the 
hash function and the symbol y is the data output by the function. In this case, the hash function is such a complex 
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function that it is difficult to find the value of x from a given value of y. The hash function is such a complicated function 
that it is difficult to find a pair of xl and x2 that satisfies the equation hash (xl) = hash (x2). MD5 and SHA are each the 
name of a lunction known as a representative one-way hash function. For details of the one-way hash function, refer 
to a reference with a title "Applied Cryptography" authored by Bruce Schneier, a second edition published by Wiley. 

5 In the personal computer 2 used as a typical sink in the example shown in Fig. 4, on the other hand, an ID unique 

to the electronic apparatus, that is. the personal computer 2 in this case, and a license key provided in advance by the 
author of information are stored in strict confidence in the EEPROM unit 50. This node (apparatus) unique ID is normally 
assigned to the electronic apparatus by the manufacturer of electronic equipment as will be described later. The license 
key is a value resulting from application ol the hash function to (n + m)-bit data which is obtained by concatenating the 

10 n-bit ID with the m-bit service key Thus, the license key can be expressed by the following equation: 

hccnsc_key =. hash (ID || service_key) 

is where the notation "ID || service_key* represents a concatenation of the ID with the service key. 

A node_uniqueJD determined by specifications of the 1394 bus 11 can be typically used as an ID. Fig. 5 is a 
diagram showing the format of the node unique ID. As shown in the figure, the node_unique_ID comprises 8 bytes (or 
64 bits). The first 3 bytes are controlled by the IEEE and given by the IEEE to a manufacturer of electronic equipment 
as a number unique to the manufacturer On the other hand, the low-order 5 bytes can be assigned by the manufacturer 

20 of electronic equipment itself to an electronic apparatus sold to the user. Typically, each value of the whole low-order 
5 bytes are assigned by the electronic equipment maker to an electronic apparatus as a serial number of the apparatus. 
Since the high-order 3 bytes have a vh uc unique to the manufacturer of electronic equipment, the node_unique_1D is 
unique to each of electronic apparatuses without regard to whether the apparatuses are produced by the same man- 
ufacturer or different manufacturers 

25 As shown in Fig. 4, the procedure bcqms with a step S1 at which the firmware 20 in the DVD player 1 controls the 

1 394 interface unit 26 to make a requosi to the personal computer 2 for the ID thereof to be transmitted by way of the 
1 394 serial bus 11 . Then, the procedure goes on to a step S2 at which the license manager 62 of the personal computer 
2 receives the request for the ID. To put it in detail, the 1394 interface unit 49 employed in the personal computer 2 
passes on the request for the ID transmiiiori by the DVD player 1 by way of the 1394 serial bus 11 to the CPU 41. The 

30 procedure then proceeds to a step S3 hi which the license manager 62 being executed by the CPU 41 reads out the 
ID from the EEPROM unit 50 in acco^dnnce with the request forwarded thereto by the 1394 interface unit 49 and 
transmits the ID to the DVD player 1 by wny of the 1 394 interface unit 49 and the 1 394 serial bus 11. 

Then, the procedure continues to h step S4 at which the 1394 interface unit 26 employed in the DVD player 1 
receives the ID and passes on it to the firmware 20 being executed by the CPU 21 . 

35 Subsequently, the procedure goes on to a step S5 at which the firmware 20 concatenates the ID received from 

the personal computer 2 with a service key stored in the EEPROM unit 27 to form data (ID || servtce_key). Then, a 
license key Ik is computed by applying the hash function to the data (ID || service_key) as shown in the following 
equation: 

40 

Ik = hash (ID || service_key) 

The procedure then proceeds to a step S6 at which the firmware 20 generates a source side session key sk, details 
of which wilt be described later. The source side session key sk will be used as a common session key S by both the 
45 DVD player 1 to encrypt a clear text to be transmitted and by the personal computer 2 to decrypt an encrypted text 
received from the DVD player 1 . 

Then, the procedure continues to h slop S7 al which the firmware 20 encrypts the source side session key sk 
g enera t ec j a t the step S6 by using the license key Ik computed at the step S5 as a key to produce an encrypted source 
side session key e in accordance with ihc lollowing equation: 

so 

e = Enc (Ik, sk) 

It should be noted that the expression Enc (A, B) on the right hand side of the above equation represents a common 
ss session key encryption / decryption technique whereby data B is encrypted by using a key A to produce an encrypted 
source side session key e on the left h-mri side of the equation. 

Subsequently, the procedure goos on to a step S8 at which the firmware 20 transmits the encrypted source side 
session key e generated at the step S7 to the personal computer 2. To put it in detail, the encrypted source side session 
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key e is transmitted by the 1394 interface unit 26 employed in the DVD player 1 to the personal computer 2 by way of 
the 1394 serial bus 11. The procedure then proceeds to a step S9 at which the 1394 interface unit 49 employed in the 
personal computer 2 receives the encrypted source side session key e. Then, the procedure proceeds to a step S10 
at which the license manager 62 decrypts the encrypted source side session key e passed on thereto by the 1394 
5 interface unit 49 by using a license key provided in advance by the author of information and stored in the EEPROM 
unit 50 as a key to produce a sink side session key sk' in accordance with the following equation: 

sk' = Dec (license_key, e) 

10 

It should be noted that the expression Dec (A, B) on the right hand side of the above equation represents the 
common session key encryption/decryption technique whereby encrypted data B is in this case decrypted by using a 
key A to produce a sink side session key sk' on the left hand side of the equation. 

It is also worth noting that a DES algorithm is known as a data encrypting/decrypting algorithm adopted in the 
is common session key encryption/decryption technique which is also described in detail in the second edition of the 
reference with the title "Applied Cryptography" cited above. 

The license key provided by the author ot information and stored in the EEPROM unit 50 employed in the personal 
computer 2 in advance has a value which was computed by the author by using the same hash function as license the 
key Ik was generated by the DVD player 1 at the step S5. That is to say, the following equation holds true: 

20 

Ik = license_key 

Thus, based on the common source side session key encryption/decryption technique using the same (license) 
25 key, the decryption carried out by the personal computer 2 at the step S10 is just a reversed process of the encryption 
performed by the DVD player 1 at the step S7. As a result, since e is the encrypted data of the source side session 
key sk generated by the DVD player 1 at the step S6, the sink side session key sk' computed by the personal computer 
2, that is, a result of the decryption of the encrypted source side session key e, is equal to the source side session key 
sk. That is to say, the following equation holds true: 

30 

sk 1 = sk 

In this way, since the source and sink side session keys sk and sk' have the same value, the source implemented 
35 typically by the DVD player 1 and the sink implemented typically by the personal computer 2 can share a common 
session key S. For this reason, the DVD player 1 can use the key sk as an encryption key as it is to encrypt a clear 
text created by the author to be transmitted to the personal computer 2. By the same token, the personal computer 2 
can use the sink side session key sk' as a decryption key as it is to decrypt an encrypted text received from the DVD 
player 1. As an alternative, the DVD player 1 generates a pseudo random number to be used as an encryption key by 
40 using the source side session key sk as a base as will be described later. Likewise, the personal computer 2 generates 
a random number to be used as a decryption key by using the sink side session key sk* as a base as will also be 
described later. 

As described above, the license key Ik is generated at the step S5 of the procedure shown in Fig. 4 by applying 
the hash function to a concatenation of an ID unique to a particular electronic apparatus and a service key provided 

45 for a text created by the author. Thus, in a pair of electronic apparatuses wherein the source does not have the service 
key for the text and/or the sink does not have the ID unique to the legal owner, it is impossible to generate the correct 
license key Ik (Refer to the step S5 of the procedure shown in Fig. 4). In addition, an electronic apparatus not authen- 
ticated by the author is not provided with a license key and, thus, not capable of generating the session key sk' (Refer 
to the step S10 of the procedure shown in Fig. 4). In a normal case, after the procedure shown in Fig. 4 is completed, 

50 the DVD player 1 encrypts reproduced data or a clear text by using the source side session key sk and transmits the 
encrypted data or the encrypted text to the personal computer 2. Provided with a correct license key, the personal 
computer 2 is capable of generating the sink side session key sk' (Refer to the step S10 of the procedure shown in 
Fig. 4). The personal computer 2 is thus capable of decrypting the encrypted playback data or the encrypted text 
received from the DVD player 1 by means of the sink side session key sk'. If the personal computer 2 is not a licensed 

ss electronic apparatus, however, it will be impossible to generate the sink side session key sk' because the correct license 
key is not available. As a result, the unlicensed personal computer 2 is not capable of decrypting the encrypted playback 
data or the encrypted text received from the DVD player 1. In other words, only a sink capable of generating a sink 
side session key sk* having the same value as the source side session key sk generated by the source is authenticated 
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in the end. This is because only a particular electronic apparatus serving as an authorized source which has a service 
key provided by an author for information or a text created by the author and receives a correct ID from an authorized 
sink is capable of generating the correct license key Ik. By the same token, only a particular electronic apparatus 
serving as an authorized sink which is provided with the correct license key by the author is capable of generating the 

5 correct sink side session key sk* for use as a decryption key to decrypt encrypted data or an encrypted text. 

Assume that a license key granted to a personal computer 2 is stolen by any chance. In this case, nevertheless, 
the stolen license key can not be used in another electronic apparatus to generate a valid sink side session key sk' 
because the other apparatus has an ID different from that assigned to the personal computer 2. Since the ID varies 
from apparatus to apparatus as such, another electronic apparatus will not be capable of decrypting the encrypted 

io playback data or the encrypted text received from the DVD player 1 by means of the stolen license key. As a result, 
the security of transmitted information can be enhanced. 

Fig. 6 is a diagram showing another embodiment implementing an authentication procedure whereby a source 
implemented typically by the DVD player 1 authenticates two sinks implemented typically by the personal computer 2 
and the optical magnetic disc apparatus 3 respectively by allowing each of the sinks to generate a sink side session 

is key. having the same value as a source side session key generated by the source only if the sinks are valid sinks. 

In the EEPROM unit 50 employed in the personal computer 2 serving as the first sink, ID 1, an identification 
assigned in advance uniquely by a manufacturer of electronic equipment to the personal computer 2, and License Key 
1 , a license key provided in advance by an author of information to the computer 2 are stored. By the same token, in 
the EEPROM unit 37 employed in the optical magnetic disc apparatus 3 serving as the second sink, ID 2, an ID assigned 

20 jn advance uniquely by a manufacturer of electronic equipment to the disc apparatus 3, and License Key 2, a license 
key provided in advance by the author of information to the disc apparatus 3 are stored. 

Since pieces of processing carried out at the steps S1 1 to S20 by the DVD player 1 serving as the source and the 
personal computer 2 serving as the first sink are in essence the same as those of the steps S1 to S10 of the procedure 
shown in Fig. 4, their explanation is not repeated. 

25 in briel, the personal computer 2 generates a valid sink side session key skV from an encrypted source side 

session key e1 received from the DVD player 1 at the step S20 as described above. The procedure then goes on to 
a step S21 at which the firmware 20 in the DVD player 1 controls the 1 394 interface unit 26 to make a request to the 
optical magnetic disc apparatus 3 for the ID thereof to be transmitted by way of the 1394 serial bus 11. Then, the 
procedure goes on to a step S22 at which firmware 30 of the optical magnetic disc apparatus 3 shown in Fig. 10 

30 receives the request for the ID. To put it in detail, the 1 394 interface unit 36 employed in the optical magnetic disc 
apparatus 3 passes on the request for the ID transmitted by the DVD player 1 by way ol the 1394 serial bus 11 to the 
CPU 31 . The procedure then proceeds to a step S23 at which the firmware being executed by the CPU 31 reads out 
the identification ID2 from the EEPROM unit 37 in accordance with the request forwarded thereto by the 1 394 interface 
unit 36 and transmits the identification ID2 to the DVD player 1 by way of the 1 394 interface unit 36 and the 1 394 serial 

35 bus 11. 

Then, the procedure continues to a step S24 at which the 1394 interface unit 26 employed in the DVD player 1 
receives the identification ID2 and passes on it to the firmware 20 being executed by the CPU 21. 

Subsequently, the procedure goes on to a step S25 at which the firmware 20 concatenates the identification ID2 
received from the optical magnetic disc apparatus 3 with a service key stored in the EEPROM unit 27 to form data (ID2 
40 H service_key). Then, a license key Ik2 is computed by applying the hash function to the data (ID2 II service_key) as 
shown in the following equation: 

Ik2 = hash (ID2 || service_key) 

45 

Then, the procedure continues to a step S26 at which the firmware 20 encrypts the source side session key sk 
generated at the step S16 by using the license key Ik2 computed at the step S25 as a key to produce an encrypted 
source side session key e2 in accordance with the following equation: 

50 e2 = Enc (Ik2, sk) 

Subsequently, the procedure goes on to a step S27 at which the firmware 20 transmits the encrypted source side 
session key e2 generated at the step S26 to the optical magnetic disc 3. To put it in detail, the encrypted source side 
55 session key e2 is transmitted by the 1 394 interface unit 26 employed in the DVD player 1 to the optical magnetic disc 
apparatus 3 by way of the 1394 serial bus 11. 

The procedure then proceeds to a step S28 at which the 1394 interface unit 36 employed in the optical magnetic 
disc 3 receives the encrypted source side session key e2. Then, the procedure proceeds to a step S29 at which the 



:iD: <EP 0874299A2_L> 



EP 0 874 299 A2 



firmware 30 decrypts the encrypted source side session key e2 passed on thereto by the 1394 interface unit 36 by 
using a license key (license_key 2) stored in the EEPROM unit 37 as a key to produce a sink side session key sk2' in 
accordance with the following equation: 

5 

sk2" = Dec (license_key 2, e2) 

As described above, the personal computer 2 and the optical magnetic disc apparatus 3 generate the sink side 
session keys skV and sk2' at the stops S20 and S29 respectively Normally, the sink side session keys skV and sk2' 
10 have the same value as the source side session key sk generated by the DVD player 1 at the step SI 6. 

In the procedure shown in Fig. 6 the DVD player 1 makes requests for an ID to the personal computer 2 and the 
optical magnetic disc apparatus 3 separately It should be noted, however, that in the case of broadcasting communi- 
cation wherein requests can be made at the same time, processing according to an embodiment implementing a 
procedure like one shown in Fig. 7 can be carried out. 
is As shown in the figure, the procedure begins with a step S41 at which the DVD player 1 transmits requests to all 

sinks, that is, the personal computer 2 and the optical magnetic disc apparatus 3, for the IDs thereof by broadcasting 
communication. Then, the procedure goes on to steps S42 and S43 at which the personal computer 2 and the optical 
magnetic disc apparatus 3 respectively receive the requests for the IDs. The procedure then proceeds to steps S44 
and S45 at which the personal computer 2 and the optical magnetic disc apparatus 3 read out the identifications ID1 
20 and ID2 from the EEPROM units 50 rind 37 respectively and transmit them to the DVD player 1. Then, the procedure 
" continues to steps S46 and S47 at which the DVD player 1 receives the identifications ID1 and ID2 respectively. 

Subsequently, the procedure goes on to a step S48 at which the DVD player 1 concatenates the identification ID1 
received from the personal computer 2 with a service key stored in the EEPROM unit 27 to form data (ID1 1| service_key). 
Then, a license key Ik1 is computed ty applying the hash function to the data (ID1 || service_key) as shown in the 
2S following equation: 

Ik1 = hash (ID1 || service_key) 

30 Subsequently, the procedure goes on to a step S49 at which the DVD player 1 concatenates the identification ID2 

received from the optical magnetic disc apparatus 3 with the service key stored in the EEPROM unit 27 to form data 
(ID2 1| service_key). Then, a license key lk2 is computed by applying the hash function to the data (ID2|| service_key) 
as shown in the following equation: 

35 

IK2 = hash (ID2 || service_key) 

The procedure then proceeds to a step S50 at which the DVD player 1 generates a source side session key sk. 
Then, the procedure continues to a step S51 at which the DVD player 1 encrypts the source side session key sk 
40 generated at the step S50 by using the license key Ik1 computed at the step S48 as a key to produce an encrypted 
source side session key e1 in accordance wrth the following equation: 

e1 = Enc (Ik1, sk) 

45 

Then, the procedure continues to h step S52 at which the DVD player 1 encrypts the source side session key sk 
generated at the step S50 by using the license key Ik2 computed at the step S49 as a key to produce an encrypted 
source side session key e2 in accoidmce with the following equation: 

so 

e2 = Enc (Ik2, sk) 

The procedure then goes on to a slop S53 at which the identification ID1 , the encrypted source side session key 
e1, the identification ID2 and the encrypted source side session key e2 are concatenated to produce encrypted data 
ss e as follows: 

e = IDl || e1 || ID2H e2 
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Subsequently, the procedure goes on to a step S54 at which the DVD player 1 transmits the encrypted data e to 
the personal computer 2 and the optical magnetic disc apparatus 3 by broadcasting communication. The procedure 
then proceeds to steps S55 and S56 at which the personal computer 2 and the optical magnetic disc apparatus 3 
receive the encrypted data e. Then, the procedure proceeds to steps S57 and S58 at which the personal computer 2 
5 and the optical magnetic disc apparatus 3 decrypt the encrypted source side session keys e1 and e2 extracted from 
the encrypted data e by using the license keys License Key 1 and License Key 2 stored in the EEPROM units 50 and 
37 as keys to produce sink side session keys skV and sk2' respectively in accordance with the following equations: 

ski ' = Dec (License_Key 1 , e1 ) 



sk2' = Dec (License_Key 2, e2) 

is Fig. 8 is a diagram showing an embodiment implementing a procedure of authentication processing whereby only 

a valid sink will generate a sink side session key sk* having the same value as a source side session key sk generated 
by a source in a system wherein the sink is capable of rendering a plurality of services, that is, decrypting a plurality 
of kinds of information. To handle the different kinds of information, the personal computer 2 serving as the sink is 
provided with a plurality of license keys stored in the EEPROM unit 50 such as License_Key 1, License_Key 2, 

20 License_Key 3 etc. for the different kinds of information. By the same token, the DVD player 1 serving as a source has 
information on a plurality of service IDs for identifying which kinds of information to be transmitted to the sink and a 
. plurality of service keys stored in the EEPROM unit 27 such as Service_Key 1, Service_Key 2, Service_Key 3 etc. 
used for generating License_Key 1 , License_Key 2, License_Key 3 etc. respectively. Pieces of processing carried out 
in the procedure shown in Fig. 8 are similar to those of the procedure shown in Fig. 4 except for the following steps. 

2S To begin with, at a step S81 , the DVD player 1 transmits a request for an ID along with a service ID for identifying a 
kind of information, which is to be serviced by the personal computer 2 used as the sink, to the personal computer 2. 
Then, at a step S85, a license key Ik is generated by the DVD player 1 by application of the hash function to an ID 
received from the personal computer 2 and one of Service_Key 1 , Service_Key 2, Service_Key 3 etc. in the EEPROM 
unit 27 which is associated with the kind of information to be transmitted to the sink, that is, associated with the service 

30 ID transmitted to the personal computer 2 at the step S81 . Finally, at a step S90, the personal computer 2 generates 
a sink side session key sk' from an encrypted source side session key e received from the DVD player 1 at a step 89 
and one of License_Key 1, Ltcense_Key 2, License_Key 3 etc. in the EEPROM unit 50 that is associated with the 
service ID received from the DVD player 1 at the step S82. 

Fig. 9 is a diagram showing another embodiment implementing a procedure of authentication whereby only a valid 

35 sink will be capable of generating a sink side session key sk 1 having the same value as a source side session key sk 
generated by a source. In this case, the DVD player 1 used as a source has a service key, a hash function and a 
pseudo random number generating function pRNG which are stored in the EEPROM unit 27 employed thereby. The 
service key, the hash function and the pseudo random number generating function pRNG are given by an author of 
information and kept in strict confidence. On the other hand, stored in the EEPROM unit 50 employed by the personal 

40 computer 2 serving as a sink are an ID assigned to the personal computer 2 by the manufacturer of electronic equipment 
as well as license keys LK and LK\ a confusion function G and the pseudo random number generating function pRNG 
which are given by the author of the information. 

The license key LK is a unique random number generated by the author whereas the license key LK' is also 
generated by the author so as to satisfy the following equation: 

45 

LK' = G A - 1 (R) 

where R = pRNG (H) (+) pRNG (LK) 

so where H = hash (ID || service_key) 

It should be noted that, while the symbol A alone denotes the power notation, the notation "G A -1" means the 
inverse function of the confusion function G. The value of the inverse function G A -1 can be found with ease provided 
that predetermined rules are known. If the predetermined rules are not known, however, it is difficult to compute the 
value of the inverse function G A -1. A function used in encryption based on a disclosed key can be utilized as this 

55 function. 

In addition, the function pRNG for generating a random number can be implemented by hardware. 
As shown in Fig. 9, the procedure begins with a step S101 at which the firmware20 in the DVD player 1 makes a 
request to the license manager 62 of the personal computer 2 for the ID thereof to be transmitted. Then, the procedure 
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goes on to a step S102 at which the license manager 62 of the personal computer 2 receives the request for the ID. 
The procedure then proceeds to a step S103 at which the license manager 62 reads out the ID from the EEPROM unit 
50 in accordance with the request and transmits the ID to the DVD player 1. Then, the procedure continues to a step 
S104 at which the DVD player 1 receives the ID. Subsequently, the procedure goes on to a step SI 05 at which the 
5 firmware 20 concatenates the ID received from the personal computer 2 with a service key stored in the EEPROM unit 
27 to form data (ID || service_key). Then, a value H is computed by applying the hash function to the data (ID|| 
service_key) as shown in the following equation: 

H = hash (ID || service_key) 

The procedure then proceeds to a step S106 at which the firmware 20 generates a source side session key sk. 
Then, the procedure continues to a step S 107 at which the firmware 20 compute an encrypted source side session 
key e from the value H generated at the step S105 and the source side session key sk generated at the step S106 in 
is accordance with the following equation: 

e = sk (+) pRNG (H) 

20 where the notation (+) used on the right hand side of the above equation is the operator of the operation to compute 
" an exclusive logical sum and, thus, an expression A (+) B represents the exclusive logical sum of A and B. 

That is to say, at the step S107, the source side session key sk generated at the step S 106 is encrypted to produce 
the encrypted source side session key e by finding the exclusive logical sum of each bit of the key sk and the corre- 
sponding bit of pRNG (H), a random number obtained by applying the pseudo random number generating function 
25 pRNG to the value H generated at the step S105. 

Subsequently, the procedure goes on to a step S108 at which the firmware20 transmits the encrypted source side 
session key e generated at the step S1 07 to the personal computer 2. 

The procedure then proceeds to a step S1 09 at which the personal computer 2 receives the encrypted source side 
session key e. Then, the procedure proceeds to a step S110 at which the license manager 62 decrypts the encrypted 
30 source side session key e by using the license keys LK and LK* stored in the EEPROM unit 50 as keys to produce a 
sink side session key sk' in accordance with the following equation: 

sk' = e (+) G (LK') (+) pRNG (LK) 

35 

That is to say, at the step S110, the encrypted source side session key e received from the DVD player 1 is 
decrypted to produce the sink side session key sk' by finding the exclusive logical sum of the encrypted source side 
session key e , G (LK 1 ), a value obtained by applying the confusion function G stored in the EEPROM unit 50 to the 
license key LK' also stored in the EEPROM unit 50, and pRNG (LK), a value obtained by applying the pseudo random 
40 number generating function pRNG also stored in the EEPROM unit 50 to the license key LK also stored in the EEPROM 
unit 50. 

Much like the procedure shown in Fig. 4, the sink side session key sk' generated by the personal computer 2 at 
the step S1 10 has the same value as the source side session key sk generated by the DVD player 1 at the step S6. 
The fact that sk = sk* is proven by the following: 

45 

sk' = e (+) G (LK 1 ) (+) pRNG (LK) 

Substituting (sk (+) pRNG (H)) for e in the expression on the right hand side of the above equation yields the following 
so equation: 

sk' = sk (+) pRNG (H) (+) G(LK') (+) pRNG (LK) 
55 Since G(LK') = G( G A - 1 (R)) = R, the following equation is obtained: 

sk' = sk (+) pRNG (H) (+) R (+) pRNG (LK) 
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Substituting (pRNG (H) (+) pRNG (LK)) for R in the expression on the right hand side of the above equation yields the 
following equation: 

5 Sk' = sk (+) pRNG (H) (+). pRNG (H) (+) pRNG 

(LK) (+) pRNG (LK) 
= sk 

10 

As described above, the source and sink side session keys sk and sk' are a common key S shared by both the 
DVDplayeM and the personal computer 2 serving as a source and a sink respectively Inaddition, unlike the procedures 
described previously, it is only an author of information who is capable of generating license keys LK and LK'. Thus, 
is an attempt made by a source to illegally generate the license keys LK and LK' will end in a failure. As a result, the 
' security of transmitted information can be further improved. 

In the authentication procedures described above, a source authenticates a sink by allowing the sink to generate 
" a sink side session key sk' having the same value as a source side session key sk generated by the source only if the 
sink is a valid sink. The procedure can also be applied for example to authenticate the ordinary operation to load an 
20 application program in the personal computer 2 in order to prevent an application program obtained illegally from being 
" executed. In this case, it is necessary to form a judgment as to whether or not execution of each application program 
is allowed by the author of the program through the same procedure as those described so far whereby the license 
manager 62 authenticates an application module 61 as shown in Fig. 3. To be more specific, in the authentication 
procedure shown in Fig. 3, the license manager 62 serves as a source whereas the application module 61 is used as 
2S a sink. 

After the authentication process described above has been completed, that is, after the sink has generated a sink 
side session key sk' having the same value as a source side session key sk generated by the source, data or a clear 
text encrypted by the source by using an encryption key is transmitted to the sink from the source. At the sink, the 
encrypted data or the encrypted text is decrypted back by using a decryption key. As described above, the source and 

30 sink side session keys sk and sk' can be used as encryption and decryption keys respectively as they are or, as an 
alternative, a random number generated from the session key sk or sk' is used as an encryption or decryption key 
instead. The operation carried out by the source to encrypt data and the operation carried out by the sink to decrypt 
the encrypted data are explained as follows. 

In an electronic apparatus such as the DVD player 1 and the optical magnetic disc apparatus 3, the internal functions 

35 of which are not built in an architecture open to the user, the processing to encrypt and decrypt data transmitted through 
the 1394 serial bus 11 in a system like one shown in Fig, 10, a block diagram showing a system wherein a source 
transmits encrypted data to sinks, is carried out by the 1394 interface units 26 and 36 employed in the DVD player 1 
and the optical magnetic disc apparatus 3 respectively. Data is encrypted or decrypted by using a session key S, that 
is, the source side session key sk or the sink side session key sk' described earlier, and a time variable key i, strictly 

40 speaking, a key i' for generating the time variable key i. The session key S and the key i' are supplied by the firmware20 
or 30 to the 1 394 interface unit 26 or 36 respectively. The session key S comprises an initial value key Ss used as an 
initial value and a derangement key Si for deranging the time variable key i. The initial value key Ss andthe derangement 
key Si can be formed respectively from a predetermined number of high order bits and a predetermined number of low 
order bits of the source side session key sk or the sink side session key sk' which has the same value as sk used in 

45 the process ol authenticating the sink described earlier The session key S is properly updated in each session, for 
example, for each movie information or for each playback operation. On the other hand : the time variable key i which 
is generated from the derangement key Si of the session key S and the key i* is updated a number of times in a session. 
For example, time information obtained with predetermined timing can be used typically as the key i\ 

Assume that movie data played back and output by the DVD player 1 serving as a source is transmitted to the 

so optical magnetic disc apparatus 3 and the personal computer 2 which are used as sinks by way of the 1 394 serial bus 
1 1 and is then decrypted by the sinks. In this case, the data is encrypted by the 1 394 interface unit 26 employed in the 
DVD player 1 by using the session key S and the time variable key i, strictly speaking : the key i' and the encrypted 
data is decrypted back by the 1394 interface unit 36 employed in the optical magnetic disc apparatus 3 by using the 
session key S and the time variable key i, strictly speaking, the key i\ 

ss in the personal computer 2, on the other hand, the license manager 62 supplies the initial value key Ss of the 

session key S to the application module 61 and the derangement key Si of the session key S and the time variable 
key i, strictly speaking, the key i* for generating the time variable key i, to the 1 394 interface unit 49 serving as a link 
unit, in the 1394 interface unit 49, the time variable key i is generated from the derangement key Si and the key i' and 
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used for decrypting back the encrypted data. The decrypted data is further decrypted by the application module 61 by 
using the session key S, strictly speaking, by using the initial value key Ss of the session key S. 

As described above, in the personal computer 2 having an architecture wherein the internal bus 51 is designed in 
an architecture open to the user, the 1 394 interface unit 49 carries out only a 1 st stage of the decryption on the encrypted 
s data, leaving the data still in an encrypted state. Then, the application module 61 further performs a 2nd stage of the 
decryption on the data decrypted by the 1394 interface unit 49 to produce the clear text. In this way, the personal 
computer 2 is prohibited from copying data (that is, a clear text) transferred by way of the internal bus 51 to another 
medium such as a hard disc mounted on the hard disc drive 47 through the use of a proper function added to the 
internal bus 51. 

w As described above, according to the embodiment of the present invention, in a CE apparatus with an architecture 

wherein an internal bus is not open to the user, encrypted data is decrypted only once by using a session key S and 
a time variable key i, strictly speaking, a key i'. In the case of a CE apparatus such as the personal computer 2 with 
an architecture wherein an internal bus is open to the user, on the other hand, encrypted data is decrypted by using a 
time variable key i, which is generated by using the derangement key Si of a session key S and the key i' , at a 1st 

is stage of decryption, and then further decrypted by using the initial value Ss of the session key S at a 2nd stage of 
decryption. Thelst and 2nd stages of the decryption processing are represented by the following equation: 

Dec (Ss, Dec (i, Enc (algo (S + Data))) = Data 

20 

- where the term algo (S + i') appearing on the left hand side of the above equation represents a value resulting from 
application of a predetermined algorithm to the session key S and the time variable key i, strictly speaking, the key i\ 
the notation Dec appearing at the left end of the equation represents the 2nd stage of the decryption, the other Dec 
notation denotes the 1 st stage of decryption and the notation Enc indicates the encryption carried out by the source. 

25 Fig. 11 is a block diagram showing a typical configuration of the 1394 interface unit 26 that satisfies the term Enc 

appearing in the equation given above to represent the encryption carried out by the DVD player 1 employing the 1 394 
interface unit 26. As shown in the figure, the configuration comprises an additive generator 71 , an LFSR (Linear Feed- 
back Shift Register) 72, a shrink generator 73 and an adder 74. m-bit data generated by the additive generator 71 and 
1 -bit data generated by the LFSR are supplied to the shrink generator 73. The shrink generator 73 selects some pieces 

30 of m-bit data received from the additive generator 71 in accordance with the value of the 1 -bit data supplied by the 
LFSR 72 and outputs the selected m-bit data to the adder 74 as an encryption key. It should be noted that the m-bit 
encryption key, a random number generated by the shrink generator 73. corresponds the key (S + i') in the equation 
given above. The adder 74 adds the m-bit encryption key received from the shrink generator 73 to an input clear text, 
that is, m-bit data to be transmitted to the 1 394 serial bus 11 , to produce an encrypted text or encrypted data. 

35 The addition carried out by the adder 74 is a mod 2 A m process, where the symbol A is the power notation, meaning 

addition of the encryption key generated by the shrink generator 73 to the clear text. In other words, the process is 
addition of an m-bit key to m-bit data with a carry-over ignored. 

Fig. 12 is a block diagram showing a detailed configuration of the 1 394 interface unit 26 which is shown in Fig. 11 
in a simple and plain manner. As shown in Fig. 12, the initial value key Ss of the session key S received from the 

40 firmware20 is supplied to and held in a register 82 by way of the adder 81 . Typically, the initial value key Ss comprises 
55 words each having a length in the range 8 to 32 bits. On the other hand, the derangement key Si of the session key 
S is held in a register 85. Typically, the derangement key Si is the low order 32 bits of the session key S. 

The key i' is held in a 32-bit register 84. The key i" is created in a process of accumulation of bits. To put it in detail, 
each time a packet is transmitted through the 1394 serial bus 11, typically, two bits used for forming the key i' are 

45 supplied to the register 84. The creation of the 32-bit key i' is completed as 16 packets are transmitted. At that time, 
the 32-bit key i' is added to the derangement key Si held in the register 85 by an adder 86 to finally generate a time 
variable key i which is supplied to the adder 81 . The adder 81 adds the time variable key i output by the adder 86 to 
the initial value key Ss held in the register 82, storing the result of the addition back in the register 82. 

Assume that the number of bits per word in the register 82 is 8. In this case, since the time variable key i output 

so by the adder 86 is 32 bits in width, the time variable key i is divided into 4 portions each comprising 8 bits. Each of the 
4 portions is then added to a word in the register 82 at a predetermined address, that is, at one of the addresses 0 to 54. 

As described above, the initial value key Ss is held initially in the register 82. Each time16 packets of an encrypted 
text are transmitted thereafter, however, the initial value Ss is updated by adding the time variable key i thereto. 

An adder 83 selects predetermined two words among the 55 words of the register 82 and adds the selected two 

ss words to each other. With timing shown in Fig. 12, words at addresses 23 and 54 are selected by the adder 83. The 
adder 83 supplies the result of the addition to the shrink generator 73 and a word in the register 82. With the timing 
shown in Fig. 12, the adder 83 supplies the result of the addition to the word of the register 82 at an address 0 to 
replace the data currently stored in the word. 
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At the next timing, the two words selected by the adder 83 are changed from the addresses 54 and 23 to addresses 
53 and 22, being shifted in the upward direction shown in the figure by 1 word. By the same token, the destination of 
the result of the addition output by the adder 83 is also shifted upward. Since there is no word above address 0, 
however, the destination is changed from the word at address 0 to the word at address 54 at the bottom of the register 82. 
5 It should be noted that, in each of the adders 81 , 83 and 86, processing to compute an exclusive logical sum can 

be carried out instead. 

Fig. 13 is a block diagram showing a typical configuration of the LFSR 72. As shown in the figure, the LFSR 72 
comprises an n-bit shift register 101 and an adder 102 for summing up the values of a predetermined number of bits 
among the n bits. A bit resulting from the addition by the adder 102 is stored in the left most bit b n of the n-bit shift 

io register 101 shown in the figure and, at the same time, the previous value of the bit b n is shifted to a bit b n-1 on the 
right hand side of the bit bn. By the same token, the bit shifting to the right is applied to the previous values of bits b n . v 
b n _ 2 , — , etc. whereas the previous value of the right most bit b, shown in the figure is output. At the next timing, a bit 
resulting from the addition by the adder 102 is again stored in the left most bit b n of the n-bit shift register 101 and, at 
the same time, the previous value of the bit bn is again shifted to a bit b n .-, on the right hand side of the bit b n . By the 

is same token, the bit shifting to the right is gain applied to the previous values of bits b n . 1( b n . 2 , — , etc. whereas the 
previous value of the right most bit b-, is again output. These operations are carried out repeatedly, sequentially out- 
putting bits from the right most bit bj one bit after another. 

Fig. 13 is a diagram showing a typical configuration of the LFSR 72 in general terms. On the other hand, Fig. 14 
is a diagram showing a typical configuration of the LFSR 72 in more concrete terms. In the configuration shown in Fig. 

20 14, the shift register 101 comprises 31 bits. The adder 102 is used for adding the value of the led most bit b 31 to the 
" value of the right most bit b-j and storing the result of the addition in the left most bit 31 of the shift register 101 . 

As shown in Fig. 1 2, the shrink generator 73 comprises a condition judging unit 91 and a FIFO unit 92. The condition 
judging unit 91 passes on m-bit data supplied by the adder 83 employed in the additive generator 71 to the FIFO unit 
92 to be held therein as it is when the LFSR 72 outputs a bit having the logic value T. When the LFSR 72 outputs a 

25 bit having the logic value "0", on the other hand, the condition judging unit 91 does not pass on m-bit data supplied by 
the adder 83 employed in the additive generator 71 to the FIFO unit 92, suspending the encryption process. In this 
way, the condition judging unit 91 employed in the shrink generator 73 selects only pieces of m-bit data which are each 
generated by the additive generator 71 while the LFSR 72 is outputting a bit with the logic value "1° and stores the 
selected piece of m-bit data in the FIFO unit 92 of the generator 73. 

30 Each piece of m-bit data held in the FIFO unit 92 is supplied as an encryption key to the adder 74 for generating 

an encrypted text by adding the encryption key to data representing a clear text to be transmitted to a sink, that is, data 
played back from a DVD in the source. 

The encrypted data is then transmitted from the DVD player 1 to the optical magnetic disc apparatus 3 and the 
personal computer 2 by way of the 1 394 serial bus 11 . 

35 Fig. 1 5 is a diagram showing a typical configuration of the 1 394 interface unit 36 employed in the optical magnetic 

disc apparatus 3 for decrypting the encrypted data received from the DVD player 1 by way of the 1 394 serial bus 11 . 
As shown in the figure, much like the 1394 interface unit 26 employed in the DVD player 1 shown in Fig.11, the con- 
figuration comprises an additive generator 171, an LFSR (Linear Feedback. Shift Register) 172, a shrink generator 173 
and a subtractor 174. m-bit data generated by the additive generator 171 and 1-bit data generated by the LFSR 172 

40 are supplied to the shrink generator 173. The shrink generator 173 selects some pieces of m-bit data received from 
the additive generator 171 in accordance with the value of the 1-bit data supplied by the LFSR 172 and outputs the 
selected m-bit data to the subtractor 174 as a decryption key The subtractor 174 subtracts the m-bit decryption key 
received from the shrink generator 173 from an encrypted text, that is, m-bit data received from the DVD player 1 by 
way of the 1 394 serial bus 11 , to decrypt the encrypted text back into the clear text. 

45 it is obvious that the configuration of the 1394 interface unit 36 employed in the DVD player 1 shown in Fig. 15 is 

basically identical with that of the 1394 interface unit 26 employed in the optical magnetic disc apparatus 3 shown in 
Fig. 11 except that the subtractor 174 employed by the former is used as a substitute for the adder 74 of the latter. 

Fig. 16 is a diagram showing a detailed configuration of the 1394 interface unit 36 which is shown in Fig. 15 in a 
simple and plain manner. It is also obvious that the configuration of the 1394 interface unit 36 employed in the DVD 

so player 1 shown in Fig. 16 is basically identical with that of the 1 394 interface unit 26 employed in the optical magnetic 
disc apparatus 3 shown in Fig. 12 except that the subtractor 174 employed by the former is used as a substitute for 
the adder 74 of the latter. An additive generator 171 , an LFSR 172, a shrink generator 173, an adder 181, a register 
182, an adder 183, a register 184, a register 185, an adder 186, a condition judging unit 191 and a FIFO unit 192 
employed in the 1394 interface unit 36 of the optical magnetic disc apparatus 3 shown in Fig. 16 correspond to the 

55 additive generator 71 , the LFSR 72, the shrink generator 73, the adder 81 , the register 82, the adder 83, the register 
84, the register 85, the adder 86, the condition judging unit 91 and a FIFO unit 92 employed in the 394 interface unit 
26 of the DVD player 1 shown in Fig. 12 respectively. 

Thus, since the operation of the 1394 interface unit 36 employed in the optical magnetic disc apparatus 3 shown 
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in Fig. 16 is basically the same as that of the 394 interface unit 26 employed in the DVD player 1 shown in Fig. 12, its 
explanation is not repeated. It should be noted, however, that the former is different from the latter in that, in the case 
of the former, the subtractor 174 subtracts the m-bit decryption key received from the FIFO unit 192 employed in the 
shrink generator 173 from an encrypted text, that is, m-bit data received from the DVD player 1 by way of the 1394 

s serial bus 11 , to decrypt the encrypted text into the clear text. 

In the 1 394 interface unit 36 employed in the optical magnetic disc apparatus 3, encrypted data is decrypted only 
once by using a session key S, which comprises an initial value key Ss and a derangement key Si, and a time variable 
key i, strictly speaking, the key i\ as described above. 

In the case of the personal computer 2, on the other hand, encrypted data is decrypted by the 1394 interface unit 

10 49 using a time variable key i which is generated by the derangement key Si of the session key S and a key i" at a 1st 
stage of decryption and then further decrypted by the application unit 61 using an initial value key Ss of the session 
key S at a 2nd stage of decryption. 

Fig. 1 7 is a diagram showing a typical configuration of the 1 394 interface unit 49 employed in the personal computer 
2 for decrypting the encrypted data or the encrypted text received from the DVD player 1 by way of the 1 394 serial bus 

is 1 1 by means of hardware. As shown in the figure, much like the 1 394 interface unit 36 employed in the optical magnetic 
disc apparatus 3 shown in Fig. 15 and the 1394 interface unit 26 employed in the DVD player 1 shown in Fig.ll, the 
configuration comprises an additive generator 271 , an LFSR (Linear Feedback Shift Register) 272, a shrink generator 
* 273 and a subtractor 274 which correspond to the additive generator 1 71 , the LFSR (Linear Feedback Shift Register) 
172, the shrink generator 173 and the subtractor 174 shown in Fig. 15 respectively. The key i' for generating the time 

20 variable key i and the derangement key Si of the session key S for deranging the time variable key i input to the 1394 
- unit 49 shown in Fig. 17 from the license manager 62 are the same as the key i' and the derangement key Si input to 
the 1394 interface unit 36 shown in Fig. 15 from the firmware 30. However, all bits of the initial value key Ss of the 
session key S input to the 1 394 unit 49 shown in Fig. 1 7 are reset to 0. 

Fig. 18 is a diagram showing a detailed configuration of the 1394 interface unit 49 which is shown in Fig. 17 in a 

25 simple and plain manner. It is also obvious that the configuration of the 1 394 interface unit 49 employed in the personal 
computer 2 shown in Fig. 18 is basically identical with that of the 1394 interface unit 26 employed in the DVD player 
1 shown in Fig. 12 and the 1 394 interface unit 36 employed in the optical magnetic disc apparatus 3 shown in Fig. 16 
except that, in the case of the 1 394 interface unit 49 shown in Fig. 18, since all bits of the initial value key Ss of the 
session key S input to the 1 394 unit 49 shown in Fig. 17 are reset to 0, in essence, the decryption key is generated 

30 only from the time variable key i which is generated from the key i' and the derangement key Si as if the initial value 
key Ss were not available. As a result, at the subtractor 274, the encrypted data or the encrypted text is decrypted by 
using only the time variable key L Since the initial value key Ss has not been used in the decryption yet, a completely 
clear text has not been obtained yet as a result of the decryption/ That is to say, the result of the decryption is still in 
. an encrypted state. Thus, data resulting from the decryption can not be used as it is even if the data is copied from the 

35 internal bus 51 to a hard disc mounted on the hard disc drive 47 or another recording medium. 

Then, the data or the text decrypted by hardware in the 1349 interface unit 49 by using the time variable key i is 
further decrypted by software in the application module 61 . Fig. 19 is a diagram showing a typical configuration of the 
application module 61. Basically resembling the 1394 interface unit 26 employed in the DVD player 1 shown in Fig. 
1 1 , the 1 394 interface unit 36 employed in the optical magnetic disc apparatus 3 shown in Fig.1 5 and the 1 394 interface 

40 unit 49 employed in the personal computer 2 shown in Fig. 17, the application module 61 shown in Fig. 19 comprises 
an additive generator 371 . an LFSR (Linear Feedback Shift Register) 372, a shrink generator 373 and a subtractor 
374 which have configurations identical with the additive generator 171, the LFSR (Linear Feedback Shift Register) 
172, the shrink generator 173 and the subtractor 174 shown in Fig. 15 respectively 

It should be noted, however, that while the initial value key Ss of the session key S is supplied to the application 

45 module as is the case with the 1394 interface unit 26 employed in the DVD player 1 shown in Fig. 11 and the 1394 
interface unit 36 employed in the optical magnetic disc apparatus 3 shown in Fig. 15, the derangement key Si of the 
session key S for deranging the time variable key i and the key i' are each a unit element will all bits thereof reset to 0\ 
Fig. 20 is a diagram showing a detailed configuration of the application module 61 which is shown in Fig. 19 in a 
simple and plain manner. It is also obvious that the configuration of the application module 61 is basically identical with 

so that of the 1 394 interface unit 26 employed in the DVD player 1 shown in Fig. 12, the 1 394 interface unit 36 employed 
in the optical magnetic disc apparatus 3 shown in Fig. 16 and the 1394 interface unit 49 employed in the personal 
computer 1 shown in Fig. 18. Components employed in the application module 61 shown in detail in Fig. 20, from the 
adder 381 employed in the additive generator 371 to the FIFO unit 392 employed in the shrink generator 373, corre- 
spond to the components employed in the 13g4 interface unit 36 shown in Fig. 16, from the adder 181 employed in 

55 the additive generator 171 to the FIFO unit 192 employed in the shrink generator 173. respectively. Since all the bits 
of the key i' held in a register 384 and the derangement key Si held in a register 385 are 0, however, the bits of the 
time variable key i generated by the adder 386 are all 0. As a result, the application module 61 in essence operates 
as if the time variable key i were not present. That is to say the generation of a decryption key is based only on the 
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initial value key Ss. Then, a subtractor 374 decrypts the encrypted data or by using the decryption key generated in 
this way to produce a clear text. As described above, the encrypted data is a result of the decryption carried out by the 
1394 interface unit 49 based on the time variable key i, which is generated from the key i' and the derangement key 
Si, at the so called 1 st stage of decryption. On the other hand, the decryption carried out by the application module 61 
s based on the initial value key Ss is called a 2nd stage of decryption for producing a final completely clear text. 

When the decryption of the encrypted text described above is completed at the optical magnetic disc 3, the CPU 
31 supplies the decrypted data to the drive 35 for recording the data onto an optical magnetic disc. 

In the personal computer 2, on the other hand, the CPU 41 supplies the decrypted data resulting from the 1st stage 
of decryption carried out by the 1394 interface unit 49 typically to the hard disc drive 47 for recording the data by way 
10 of the internal bus 51 . It should be noted that, in the personal computer 2, a predetermined board can be connected 
to the input/output interlace unit 44 as the expansion board 48 for monitoring data transmitted through the internal bus 
51 as described earlier. Nevertheless, it is only the application module 61 that is capable of finally decrypting data 
transmitted through the internal bus 51 . Thus, even if the expansion board 48 is capable of monitoring encrypted data 
resulting from the decryption carried out by the 1394 interface unit 49 based on the time variable key i, the encrypted 
is data is not the completely clear text because the data has not been decrypted by the application module 61 by using 
" the initial value key Ss of the session key S. As a result, it is possible to prevent a completely clear text from being 
copied illegally provided that the completely clear text resulting from the final decryption carried out by the application 
* module 61 is never transmitted through the internal bus 51. 

Typically, adoption of the Diffie - Hellman technique allows the session key S to be shared by a source and sinks. 
20 it is worth noting that there are cases in which the 1394 interface unit 49 or the application module 61 employed 

in the personal computer 2 has a relatively low processing power so that it is not capable of carrying out decryption of 
data. In order to cope with such a problem, either of the initial value key Ss of the session key S and the time variable 
key i or both can be generated in the source as a unit element. By the same token, by using either or both of the keys 
as a unit element in the sink, data can virtually be transmitted from the source to the sink without using the initial value 
25 key Ss of the session key S and the time variable key i. With such a scheme, however, it is more quite within the bounds 
of possibility that the data is copied illegally. 

If the application module 61 itself is an illegal copy, it is much to be feared that the clear text resulting from decryption 
carried out by the application module 61 will also be copied illegally. In order to solve this problem, the license manager 
62 may authenticate the application module 61 prior to decryption as described earlier 
30 As a method for authenticating the application module 61 , a disclosed encryption key encryption method can be 

adopted in addition to the common session key encryption / decryption technique described earlier. 

The configurations shown in Figs. 11 , 12 and 15 to 20 satisfy a homomorphism relation. Thai is to say, if keys K 1 
and K 2 are elements of a Galois field G, a group processing result • K 2 of the two elements is also an element of 
the Galois field G. In addition, with respect to a predetermined function H, the following equation holds true. 

35 

H (K 1 ■ K 2 ) = H (K 1 ) • H(K 2 ) 

Fig. 21 is a diagram showing another typical detailed configuration of the 1394 interface unit 26 employed in the 
40 DVD player 1. As shown in the figure, the initial value key Ss ol the session key S is supplied to LFSRs 501 to 503 to 
be set therein as initial values. The widths of the LFSRs 501 to 503 are a, to n 3 bits respectively which are of the order 
of 20 bits. The LFSRs 501 to 503 are designed so that their widths n n to n 3 form an element in conjunction with each 
other. That is to say, for example, the high order n 1 bits, the intermediate order n 2 bits and the low order n 3 bits of the 
initial value key Ss of the session key S are set in the LFSRs 501 , 502 and 503 respectively each as an initial value. 
45 When an enable signal with the logic value 1 is supplied to the LFSRs 501 to 503 from a clocking function unit 

506, the LFSRs 501 to 503 each shift the contents thereof by m bits, outputting m-bit data. The value of m can be set 
typically at 8, 1 6, 32 or 40. 

The data output by the LFSR 501 is added to the data output by the LFSR 502 by an adder 504. A carry of the 
result of the addition carried out by the adder 504 is supplied to the clocking function unit 506 and the result of the 

so addition itself is added to the data output by the LFSR 503 by an adder 505. A carry of the result of the addition carried 
out by the adder 504 is also supplied to the clocking function unit 506 and the result of the addition itself is supplied 
to an exclusive logical sum computing circuit 508. 

The combination of the carries supplied by the adders 504 and 505 to the clocking function unit 506 is either 00, 
01, 10 or 11. The clocking function unit 506 outputs data representing one of combinations 000 to 111 to the LFSRs 

ss 501 to 503 in accordance with the combination of the carries received from the adders 504 and 505. As described 
above, when the enable signal with the logic value 1 is supplied to the LFSRs 501 to 503 from the clocking function 
unit 506, the LFSRs 501 to 503 each shift the contents thereof by m bits, outputting new m-bit data. When the enable 
signal with the logic value 0 is supplied to the LFSRs 501 to 503 from the clocking function unit 506, on the other hand, 
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the LFSRs 501 to 503 do not shift the contents thereof, outputting the same m-bit data as the data output right before. 

The exclusive logical sum computing circuit 508 receives the result of addition carried out by the adder 505 and 
the time variable key i stored in the register 507, calculating an exclusive logical sum of the inputs. An exclusive logical 
sum computing circuit 509 calculates another exclusive logical sum of the exclusive logical sum output by the exclusive 

5 logical sum computing circuit 508 and an input clear text, outputting the other exclusive logical sum as an encrypted text. 

Fig. 22 is a diagram showing another typical detailed configuration of the 1 394 interface unit 36 employed in the 
optical magnetic disc apparatus 3. As shown in the figure, all components employed in the 1394 interface unit 36, from 
an LFSR 601 to an exclusive logical sum computing circuit 609, have the same configurations as the corresponding 
components employed in the 1394 interface unit 26 shown in Fig. 21 , from the LFSR 501 to the exclusive logical sum 

io computing circuit 509. Thus, since their operations are basically also the same, the explanation of their operations is 
not repeated. The only difference between the 1394 interface unit 36 employed in the optical magnetic disc apparatus 
3 shown in Fig. 22 and the 1 394 interface unit 26 employed in the DVD player 1 shown in Fig. 21 is that the exclusive 
logical sum computing circuit 609 employed in the former decrypts an encrypted text while the exclusive logical sum 
computing circuit 509 employed in the latter encrypts a clear text. 

is Fig. 23 is a diagram showing another typical detailed configuration of the 1394 interface unit 49 employed in the 

personal computer 2. As shown in the figure, all components employed in the 1394 interface unit 49, from an LFSR 
701 to an exclusive logical sum computing circuit 709, have the same configurations as the corresponding components 
' employed in the 1394 interface unit 36 shown in Fig. 22, from the LFSR 601 to the exclusive logical sum computing 
circuit 609. The only difference between the 1394 interface unit 36 employed in the optical magnetic disc apparatus 3 

20 shown in Fig. 22 and the 1 394 interface unit 49 employed in the personal computer 2 shown in Fig. 23 is that the initial 
- value key Ss of the session key S supplied to the LFSRs 701 to 703 employed in the latter is a unit element will all bits 
thereof reset to 0. Thus, in the case of the 1394 interface unit 49 employed in the personal computer 2 shown in Fig. 
23, the decryption of an encrypted text is in essence based only on the time variable key i in the register 707 which is 
generated from the key i' and the derangement key Si of the session key S. 

2S Fig. 24 is a diagram showing another typical detailed configuration of the application module 61 of the personal 

computer 2. As shown in the figure, all components employed in the application module 61 , from an LFSR 801 to an 
exclusive logical sum computing circuit 809, have the same configurations as the corresponding components employed 
in the 1394 interface unit 36 shown in Fig. 22, from the LFSR 601 to the exclusive logical sum computing circuit 609. 
The only difference between the 1394 interface unit 36 employed in the optical magnetic disc apparatus 3 shown in 

30 Fig. 22 and the application module 61 of the persona! computer 2 shown in Fig. 24 is that the time variable key i supplied 
to the register 807 employed in the latter is a unit element will all bits thereof reset to 0. Thus, in the case of the 
application module 61 employed in the personal computers shown in Fig. 24, the decryption of encrypted data is in 
essence based only on the initial value key Ss of the session key S. 

It should be noted that the decryption processing in each of the configurations shown in Figs. 19, 20 and 24 is 

35 carried out by the application module 61 which is typically implemented by software. 

By the way, a license key can be changed or updated, if necessary, should the license key be stolen for some 
reasons by any chance. It is needless to say that a license key can also be changed once a predetermined period of 
time even if the license key is not stolen should it be quite within the bounds of possibility that the license key is stolen. 
In this case, the version of a license key representing the term of validity is recorded on a DVD. In the case of the 

40 present embodiment, the term of validity of a license key is represented by the number of times the hash function is 
to be applied to generate the license key. If an information receiving apparatus for receiving information transmitted 
through a satellite instead of information played back from a DVD player is an object being operated, only information 
of a valid version is transmitted to the information receiving apparatus by way of the satellite. 

Figs. 25 and 26 are diagrams showing an embodiment implementing a procedure for generating a source side 

45 session key sk in the DVD player 1 and a sink side session key sk' in the personal computer 2 by using an updated 
license key. It should be noted that, in addition to the fact that various pieces of information are stored in the EEPROM 
unit 27 employed in the DVD player 1 and the EEPROM unit 50 employed in the personal computer 2 of the embodiment 
shown in Fig. 4, the hash function is also stored not only in the EEPROM unit 26, but also in the EEPROM unit 50 in 
the case of the present embodiment. 

so As shown in Fig. 25, the procedure begins with a step S151 at which the DVD player 1 serving as a source makes 

a request to the personal computer 2 serving as a sink for the ID thereof. Then, the procedure goes on to a step S152 
at which the personal computer 2 receives the request for the ID. The procedure then proceeds to a step S 153 at which 
the personal computer 2 transmits the ID to the DVD player 1 . Then, the procedure continues to a step S1 54 at which 
the DVD player 1 receives the ID. 

ss Subsequently, the procedure goes on to a step SI 55 at which the DVD player 1 concatenates the ID received from 

the personal computer 2 with a service key stored in the EEPROM unit 27 to form data (ID II service_key). Then, a 
license key Ik is computed by applying the hash function to the data (ID II service_key) as shown in the following 
equation: 
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Ik = hash (ID tl service_key) 

The pieces of processing performed at the steps S151 to S155 as described above are the same as those carried 
5 out at the steps S1 to S5 of the procedure shown in Fig.4. 

The procedure then goes on to a step S156 at which the DVD player 1 forms a judgment as to whether or not the 
license key Ik generated at the step S155 has a valid version, that is, whether or not the license key Ik has been 
generated by applying the hash function a number of times equal to a predetermined value recorded on the DVD. As 
described above, the present valid version of a license key Ik is recorded as the predetermined value representing the 
10 number of times the hash function is to be applied to generate the license key Ik. Assume that the predetermined value 
recorded on the DVD is greater than one. Since the number of times the hash function has been applied to generate 
the license key Ik at the step S155 is 1, the license key Ik is judged to be invalid. In this case the procedure proceeds 
to a step S157 at which the DVD player 1 initializes a variable g indicating the number of times the hash function has 
been applied to generate the license key Ik at 1 and stores the generated license key Ik in a variable Ikg. Then, the 
is procedure continues to a step S158 at which the hash function is applied to the contents of the variable Ikg to find a 
" new license key Ik^-, according to the following equation; 

lk g+1 = hash (lk g ) 

20 

Subsequently, the procedure goes on to a step S1 59 to form a judgment as to whether or not the license key lkg +1 
generated at the step S158 has a valid version. If the license key Ik^-, does not have a valid version, that is, if the 
variable g has not reached the predetermined value, the procedure proceeds to a step S160 at which the DVD player 
1 increments the value of the variable g by 1 and stores lk g+1 in the variable lk g . The procedure then returns to the step 
2S S1 58 at which the hash function is again applied to the contents of the variable Ikg.^ 

The steps S158 and S159 are executed repeatedly till the value of the variable g, that is, the number of times the 
hash function has been applied to generate the license key reaches the predetermined value recorded on the DVD 
as a version of the license key. 

It should be noted that the predetermined value serving as an upper limit of the number of times the hash function 
30 can be applied to generate the license key is set typically at 1 00. 

If the outcome of the judgment formed at the step S159 indicates that the number of times the hash function has 
been applied to generate the license key has reached the predetermined value recorded on the DVD as a version of 
the license key, that is, if the outcome of the judgment indicates that a valid license key lkg +1 has been obtained at the 
step S158, or if the outcome of the judgment formed at the step S156 indicates that the license key Ik generated at 
35 the step S155 is valid, that is, if the number of times the hash function is to be applied to generate the license key is 
1, on the other hand, the procedure proceeds to a step S161 at which the DVD player 1 generates a source side 
session key sk in the same way as the procedure of Fig. 4 described earlier. 

Then, the procedure continues to a step S162 at which the DVD player 1 encrypts the source side session key sk 
generated at the step S161 by using the license key Ikg computed at the step S155 or S158 as a key to produce an 
40 encrypted source side session key e in accordance with the following equation: 

e = Enc (lk g , sk) 

46 Subsequently, the procedure goes on to a step SI 63 at which the DVD player 1 transmits the encrypted source 

side session key e generated at the step S162 along with the value of the variable g indicating the number of times 
the hash function has been applied to generate the license key Ikg to the personal computer 2. The procedure then 
proceeds to a step S 164 at which the personal computer 2 receives the encrypted source side session key e and the 
value of the variable g. Then, the procedure proceeds to a step S165 at which the personal computer 2 initializes a 

so variable w representing the number of times the hash function has been applied to generate a license key in the 
personal computer 2 at 1 . The procedure then continues to a step S166 to form a judgment as to whether or not the 
value of the variable g received at the step S164 is equal to the value of the variable w set at the step S165. If they 
are not equal to each other, the procedure goes on to a step S167 at which the hash function stored in the EEPROM 
unit 50 employed in the personal computer 2 is applied to license_keyw, the license key also stored in the EEPROM 

55 unit 50, to generate license_key w+1 , a new license key in accordance with the following equation: 

license_key w+1 = hash (license_key w ) 
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Then, the procedure continues to a step S168 at which the personal computer 2 increments the variable w by 1 
and substitutes license_key w+1 for license__key w . The procedure then returns to the step S166 to again form a judgment 
as to whether or not the value of the variable g is equal to the value of the variable w. The steps S 166 to SI 68 are 
executed repeatedly till the value of the variable w representing the number of times the hash function has been applied 
5 to generate the license key becomes equal to the value of the variable g. 

If the outcome of the judgment formed at the step S166 indicates the value of the variable w is equal to the value 
of the variable g, that is, if currently valid license_key w has been obtained, the procedure goes on to a step S 169 at 
which the personal computer 2 decrypts the encrypted source side session key e to produce a sink side session key 
sk* in accordance with the folbwing equation: 

10 

sk* = Dec (Ncense_key w , e) 

By appropriately repeating the application of the hash function to generate the license key as described above, 
is the information security can be further enhanced. 

According to the procedure shown in Figs. 25 and 26, the value of the variable g representing the version of a 
license key is transmitted by the source to the sink. It should be noted, however, that the application of the hash function 
r to generate the license key can be repeated as many times as is required without the need to transmit the version as 
is the case with an embodiment implementing a procedure shown in Fig. 25 and continued to Fig. 27 instead of Fig. 26. 
20 That is to say, in the case of this embodiment, only the encrypted source side session key e is transmitted by the 

- DVD player 1 to the personal computer 2 at the step SI 63. At that time, the value of the variable g representing the 
version of a license key is not transmitted. The procedure then proceeds to a step S1 64 at which the personal computer 
2 receives the encrypted source side session key e. Then, the procedure goes on to a step S165 at which the personal 
computer 2 decrypts the encrypted source side session key e to produce a sink side session key sk' using the license 
2S key stored in the EEPROM unit 50 in accordance with the following equation: 

sk' = Dec (license key, e) 

30 In the mean time, at a step S1 66, the DVD player 1 encrypts data to be transmitted to the personal computer 2 by 

using, among other keys, the source side session key sk generated at the step S161 and transmits the encrypted data 
to the computer 2. The procedure then goes on to a step S167 at which the personal computer 2 receives the encrypted 
data and then to a step S168 to decrypt the encrypted data by using, among other keys : the sink side session key sk' 
generated at the step S165. Then, the procedure proceeds to a step S 169 at which the personal computer 2 forms a 

35 judgment as to whether or not data resulting from the decryption carried out at the step S 168 is correct. For example, 
data received as a TS (Transport Stream) packet of the MPEG system has a code for synchronization with a hexadec- 
imal value of 47 in the head of the packet. In this case, the judgment as to whether or not data is correct can be formed 
by checking whether or not the synchronization code is perfect. 

If correct decrypted data was not resulted in at the step S1 68, the procedure goes on to a step S170 at which the 

40 personal computer 2 updates the license key in accordance with the following equation: 

license_key - hash (license_key) 

45 Then, the procedure proceeds to a step SI 71 at which the personal computer 2 again decrypts the encrypted 

source side session key e received at the step S 164 to produce a new sink side sessbn key sk' using the updated 
license key generated at the step S170 in accordance with the following equation: 

so sk' = Dec (license_key, e) 

Subsequently, the procedure returns to the step S168 to again decrypt the encrypted data received at the step 
S167 by using, among other keys, the sink side session key sk' generated at the step S171. Then, the procedure 
proceeds to a step S 169 at which the personal computer 2 forms a judgment as to whether or not data resulting from 
55 the decryption carried out at the step S168 is correct. As such, the steps S170, S171, S168 and S169 are executed 
repeatedly till the outcome of the judgment formed at the step S169 indicates that correct decrypted data was obtained 
at the step S1 68. 

In this way, the license key is updated to produce correct encrypted data. 
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As indicated by the procedure described above, in the source, the source side session key sk has to be generated 
before data to be transmitted to the sink is encrypted by using the source side session key sk. In the sink, on the other 
hand, the decryption of the encrypted data received from the source needs to be synchronized with the decryption of 
the encrypted source side session key e received from the source. To be more specific, the procedure on the sink side 
5 can not go on from the step S165 to decrypt the encrypted source side session key e to the step S168 to decrypt the 
decrypted data till the step S167 to receive the encrypted data is completed. 

In addition, the decryption of an encrypted source side session key e and an encrypted text carried out by the sink 
must be synchronized with the encryption of a source side session key sk and a clear text performed by the source. 
That is to say, a decryption key generated by the components composing the 1 394 interface unit 36 employed in the 
10 optical magnetic disc apparatus 3 shown in Fig. 22, from the LFSR 601 to the exclusive logical sum computing circuit 
608, has to correspond to an encryption key generated by the components composing the 1394 interface unit 26 
employed in the DVD player 1 shown in Fig. 21 , from the LFSR 501 to the exclusive logical sum computing circuit 508, 
and encrypted data decrypted by using the decryption key must be data resulting from encryption of a clear text by 
using the encryption key As described above, the encryption key has thus to be generated by the 1394 interface unit 
is 26 shown in Fig. 21 in synchronization with (that is, prior to) the encryption of the input clear text and the decryption 
" key must therefore be generated by the 1394 interface unit 36 shown in Fig. 22 in synchronization with (that is, prior 
. to) the decryption of the received encrypted text even though the synchronization is not explicitly shown in Figs. 21 
and 22. 

Accordingly, if a bit is missing for some reasons from a packet composing an encrypted text transmitted from a 

20 source to a sink by way of the 1 394 serial bus 11 , a phase representing a timing relation between a clear text and an 
encryption key in the source can not be sustained as a phase representing a timing relation between an encrypted text 
and a decryption key in the sink. However, this problem can be solved by updating or reinitializing the phase repre- 
senting a timing relation between an encrypted text and a decryption key in the sink periodically. Fig. 28 is a diagram 
showing a typical configuration of an embodiment implementing a source / sink system for updating or reinitializing the 

25 phase representing a timing relation between an encrypted text and a decryption key in the sink periodically. 

As shown in the figure, in the source, an exclusive logical sum computing circuit 901 computes an exclusive logical 
sum Ci of a random number generated by a random number generator 903 and an input clear text and outputs the 
exclusive logical sum Ci to an exclusive logical sum computing circuit 904 and a processing circuit 902 which also 
receives the initial value key Ss of a session key S. The processing circuit 902 carries out predetermined processing 

30 on the initial value key Ss of the session key S and the exclusive logical sum Ci output by the exclusive logical sum 
computing circuit 901 , outputting a result V\ of the processing to the random number generator 903 as an initial value. 

The exclusive logical sum computing circuit 904 computes the exclusive logical sum of the exclusive logical sum 
Ci generated by the exclusive logical sum computing circuit 901 and a time, variable key i to generate an encrypted 
text which is transmitted to the sink through the 1 394 serial bus 11 . 

35 The sink carries out operations in the reversed order of those performed by the source. To be more specific, an 

exclusive logical sum computing circuit 911 computes an exclusive logical sum Ci of the encrypted text received from 
the source through the 1394 serial bus 11 and the time variable key i, outputting the exclusive logical sum Ci to an 
exclusive logical sum computing circuit 912 and a processing circuit 913 which also receives the initial value key Ss 
of the session key S. The processing circuit 913 carries out predetermined processing on the initial value key Ss of 

40 the session key S and the exclusive logical sum Ci output by the exclusive logical sum computing circuit 911 , outputting 
a processing result Vi to a random number generator 914. The random number generator 914 generates a random 
number with the processing result Vi from the processing circuit 91 3 used as an initial value. The exclusive logical sum 
computing circuit 912 computes a final exclusive logical sum of the random number generated by the random number 
generator 914 and the exclusive logical sum Ci generated by the exclusive logical sum computing circuit 911 , outputting 

45 the final exclusive logical sum as a clear text. 

Fig. 29 is a diagram showing a typical configuration of the random number generator 903. As shown in the figure, 
the random number generators 903 comprises components, from an LFSR 931 to a clocking function unit 936. Each 
of the components shown in the figure has a function identical with the corresponding LFSR 501 etc., the adder 504 
etc. or the clock functioning unit 506 etc. of the embodiments shown in Figs. 21 to 24. 

50 it should be noted that the random number generator 914 has the same configuration as the random number 

generator 903 shown in Fig. 29. Therefore, it is not necessary to show the configuration of former in a separate figure. 

Fig. 30 shows a flowchart representing operations carried out by each of the processing circuits 902 and 913 on 
the source and sink sides respectively 

The operations are explained by referring to the flowchart shown in Fig. 30 as follows. 

55 The processing circuit 902 on the source side has a function f expressed by an equation given below to compute 

a value Vi from an input Ci supplied thereto by the exclusive logical sum computing circuit 901 and the initial value key 
Ss of a session key S. 
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Vi = f (Ss, Ci) 

As shown in the figure, the flowchart begins with a step S201 at which the processing circuit 902 uses the value 
s 0 as an initial value of the input Ci to compute a value Vi = f (Ss, Ci) as follows: 

V 0 =f(Ss,0) 

io The operational flow then goes on to a step S202 at which the value V0 computed at the step S201 is supplied to 

the random number generator 903 shown in Fig. 29. In the random number generator 903, the value V0 output by the 
processing circuit 902 is supplied to the LFSR 931 to 933 as an initial value. By using the same technique as the 1 394 
interface unit 26 shown in Fig. 21 and the other embodiments shown in Figs. 22 to 24, a random number is generated 
and output by the adder 935 employed in the random number generator 903 to the exclusive logical sum computing 

is circuit 901 shown in Fig. 28. The exclusive logical sum computing circuit 901 computes an exclusive logical sum Ci of 
the random number generated by the random number generator 903 and an input clear text, outputting the exclusive 
logical sum Ci back to the processing circuit 902. 

In the mean time, the operational flow shown in Fig. 30 proceeds to a step S203 at which the processing circuit 
902 sets a variable i at 1. The operational flow then continues to a step S204 at which the exclusive logical sum Ci 

20 received from the exclusive logical sum computing circuit 901 is stored in a variable C. 

Then, the operational flow goes on to a step S205 at which the processing circuit 902 carries out processing in 
accordance with the following equation 

2S Vi = f (Ss, Ci) + V M 

where Ci is the contents of the variable C 

Since the value of the variable i is i hi the present time, the above equation can be rewritten as follows: 

30 V1 =f (Ss, C 1 ) + V 0 

where V0 is a value computed at the slop S201 . 

Subsequently, the operational procedure goes on to a step S206 at which the processing circuit 902 forms a 

35 judgment as to whether or not the contents of the variable C, that is, G, in this case, are equal to a predetermined 
value T set in advance. In the mean lime, the exclusive logical sum computing circuit 901 outputs other exclusive 
logical sum Ci to the processing circuit 902 If the exclusive logical sum Ci is found unequal to the value T at the step 
S206, the operational flow proceeds to a step S207 at which the contents of the variable i are incremented by 1 before 
returning to the step S204 at which the other exclusive logical sum Ci received from the exclusive logical sum computing 

40 circuit 901 , that is, C 2 since i = 2, is stored in the variable C. 

Then, the operational flow goes on to the step S205 at which the processing circuit 902 carries out processing in 
accordance with the following equation 

45 V j? = f(Ss.C 2 ) + V 1 

where V1 is a value computed at the slup S205 in the immediately previous iteration. 

Subsequently, the operational procedure goes on to the step S206 at which the processing circuit 902 forms a 
judgment as to whether or not the inpui exclusive logical sum Ci, that is, C2 in this case, is equal to the predetermined 

50 value T. If the input exclusive logical sum Ci is found unequal to the value T, the operational flow proceeds to the step 
S207 at which the contents of the variable i are incremented by 1 before returning to the step S204. In this way, the 
steps S204 to S207 are executed rcpc.iicdly till the input exclusive logical sum Ci becomes equal to the value T. 

If the input exclusive logical sum Ci is lound equal to the value T at the step S206, on the other hand, the operational 
flow proceeds to the step S208 at which me value Vi (that is, V1 in this case) computed at the step S205 is output to 

ss the random number generator 903 hs ihc value V0 computed at the step S201 was output to the random number 
generator 903 at the step S202. In thn rmdom number generator 903, the value V1 output by the processing circuit 
902 is supplied to the LFSR 931 to 933 hs *n initial value. A random number is generated and output by the adder 935 
employed in the random number gcncmior 903 to the exclusive logical sum computing circuit 901 shown in Fig. 28. 
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The exclusive logical sum computing circuit 901 computes an exclusive logical sum Ci of the random number generated 
by the random number generator 903 and an input clear text, outputting the exclusive logical sum Ci back to the 
processing circuit 902. 

In the mean time, after the processing circuit 902 outputs the value Vi at the step S208 to the random number 
s generator 903, the operational flow shown in Fig. 30 returns to the step S203 at which the processing circuit 902 resets 
the variable i at 1. Thereafter, the steps S203 to S208 are executed repeatedly. 

Assume that the value T is 8 bits in width and the generation probability of the value of Ci is uniform. In this case, 
the probability of the Ci value's being equal to T is 1 /256 where 256 is the eighth power of 2. That is to say, the generation 
of the exclusive logical sum Ci having a value equal to T occurs at a rate of once per 256 sequential operations carried 
10 out by the exclusive logical sum computing circuit 901 to generate the exclusive logical sum Ci. As a result, the initial 
value used in the random number generator 903 for generating a random number is updated at a rate of once per 256 
sequential operations carried out by the exclusive logical sum computing circuit 901 to generate the exclusive logical 
sum CL 

The exclusive-logical sum Ci output by the exclusive logical sum computing circuit 901 is also supplied to the 
is exclusive logical sum computing circuit 904 for computing the exclusive logical sum of the exclusive logical sum Ci 
- and the time variable key i. The exclusive logical sum computed by the exclusive logical sum computing circuit 904 is 
output to the 1394 serial bus 11 as an encrypted text. 

In the sink, the exclusive logical sum computing circuit 911 computes an exclusive logical sum Ci of the encrypted 
text received from the source through the 1 394 serial bus 1 1 and the time variable key i, outputting the exclusive logical 
20 sum Ci to the exclusive logical sum computing circuit 91 2 and the processing circuit 91 3 which also receives the initial 
"*" value key Ss of the session key S. Much like the processing circuit 902 on the source side, the processing circuit 91 3 
carries out predetermined processing on the initial value key Ss of the session key S and the exclusive logical sum Ci 
output by the exclusive logical sum computing circuit 911 , outputting a processing result Vi to the random number 
generator 914 at a rate of once per 256 sequential operations to generate the exclusive logical sum Ci. The random 
25 number generator 91 4 generates a random number with the processing result Vi used as an initial value. The exclusive 
logical sum computing circuit 912 computes a final exclusive logical sum of the random number generated by the 
random number generator 914 and the exclusive logical sum Ci generated by the exclusive logical sum computing 
circuit 911 and outputs the final exclusive logical sum as a clear text. 

As described above, the processing circuit 91 3 outputs the processing result Vi to the random number generator 
30 914 at a rate of once per 256 sequential operations carried out by the exclusive logical sum computing circuit 911 to 
generate the exclusive logical sum Ci. As a result, a phase representing a timing relation between an encrypted text 
transmitted from a source to a sink by way of the 1394 serial bus 11 and a random number used as a decryption key 
in the sink can be recovered in the event of a bit missing for some reasons from a packet composing the encrypted 
text at the time the processing circuit 913 outputs the processing result Vi to the random number generator 914 at a 
35 rate of once per 256 sequential operations to generate the exclusive logical sum Ci. 

It should be noted that, since the processing circuit 902 or 913 outputs the processing result Vi to the random 
number generator 914 when the exclusive logical sum Ci becomes equal to the value T (Ci ~ T), the processing circuit 
913 does not output the processing result Vi to the random number generator 914 periodically. Instead, nothing more 
can be said more than the fact that the processing circuit 913 outputs the processing result Vi to the random number 
40 generator 914 at a probability of once per 256 sequential operations to generate the exclusive logical sum Ci on the 
average. 

It is worth noting that the rate at which the processing circuits 902 and 913 output the processing result Vi to the 
random number generators 903 and 914 can also be based on the number of pieces of encrypted data transmitted by 
the source and received by the sink. When a piece of data is missing in the course ot transmission through the 1394 
45 serial bus 11 1 however, this method will have a problem that the data piece count on the source side will be different 
from the data piece count on the sink side, making it no longer possible to establish synchronization between the source 
and the sink. It is thus desirable to adopt the synchronization technique implemented by the embodiment described 
above. 

As an initial value used in the random number generator 903 or 914, the exclusive logical sum Ci output by the 
50 exclusive logical sum computing circuit 901 or 911 can be supplied to the random number generator 903 or 914 re- 
spectively as it is. In this case, however, transmitted through the 1394 serial bus 11, it is much to be feared that the 
exclusive logical sum Ci is stolen. That is why the exclusive logical sum Ci is not used directly as an initial value. 
Instead, by using a value Vi resulting from predetermined processing carried out on the exclusive logical sum Ci as an 
initial value, the data security can be further improved. 
55 in the embodiment implementing an authentication procedure shown in Fig. 4, the license key sk is fixed. It should 

be noted, however, that the license key Ik can be changed each time the authentication procedure is executed. Fig. 
31 is a diagram showing an embodiment implementing an authentication procedure wherein the license key Ik is 
changed each time the authentication procedure is executed. 
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As shown in Fig. 31 , the procedure begins with a step S211 at which the firmware 20 in the DVD player 1 controls 
the 1394 interface unit 26 to make a request to the personal computer 2 for the ID thereof to be transmitted by way of 
the 1394 serial bus 11 . Then, the procedure goes on to a step S212 at which the license manager 62 of the personal 
computer 2 receives the request for the ID. To put it in detail, the 1394 interface unit 49 employed in the personal 
s computer 2 passes on the request for the ID transmitted by the DVD player 1 by way of the 1 394 serial bus 11 to the 
CPU 41. The procedure then proceeds to a step S213 at which the license manager 62 being executed by the CPU 
41 reads out the ID from the EEPROM unit 50 in accordance with the request forwarded thereto by the 1394 interface 
unit 49 and transmits it to the DVD player 1 by way of the 1 394 interface unit 49 and the 1 394 serial bus 11 . 

Then, the procedure continues to a step S214 at which the 1394 interface unit 26 employed in the DVD player 1 
10 receives the ID and passes it to the firmware 20 being executed by the CPU 21 . . 

Subsequently, the procedure goes on to a step S21 5 at which the firmware 20 concatenates the ID received from 
the personal computer 2 with a service key stored in the EEPROM unit 27 to form data (ID II service_key). Then, a 
license key Ik is computed by applying the hash function to the data (ID II service_key) as shown in the following 
equation: 

1S 

Ik = hash (ID II service_key) 

The procedure then proceeds to a step S216 at which the firmware 20 generates a random number r. Then, the 
20 procedure proceeds to a step S217 at which the firmware 20 concatenates the license key Ik with the random number 
" r and modifies the license key Ik to a license key Ik' by applying the hash function to the result of concatenation as follows: 

Ik' = hash (Ik II r) 

25 

Subsequently, the procedure proceeds to a step S218 at which the firmware 20 generates a source side session 
key sk. Then, the procedure continues to a step S219 at which the firmware 20 encrypts the source side session key 
sk generated at the step S218 by using the license key Ik* computed at the step S217 as a key to an encrypted source 
side session key e in accordance with the following equation: 

30 

e = Enc (Ik*, sk) 

Subsequently, the procedure goes on to a step S220 at which the firmware 20 transmits the encrypted source side 
35 session key e generated at the step S219 and the random number r generated at the step S216 to the personal 
computer 2. To put it in detail, the encrypted source side session key e and the random number r are transmitted by 
the 1 394 interface unit 26 employed in the DVD player 1 to the personal computer 2 by way of the 1 394 serial bus 11 . 
The procedure then proceeds to a step S221 at which the 1394 interface unit 49 employed in the personal computer 
2 receives the encrypted source side session key e and the random number r. Subsequently, the procedure goes on 
40 to a step S222 at which the license manager 62 generates a license key Ik" by applying the hash function stored in the 
EEPROM unit 50 to a result of concatenation of the random number received at the step S221 with a license key stored 
in the EEPROM unit 50 as follows: 

4S Ik" - hash (license_key Mr) 

Then, the procedure proceeds to a step S223 at which the license manager 62 decrypts the encrypted source side 
session key e passed on thereto by the 1 394 interface unit 49 by using the license key Ik" generated at the step S222 
as a key to produce a sink side session key sk' in accordance with the following equation: 

so 

sk' = Dec (Ik", e) 

Since the license key given to the personal computer 2 by the author of information and stored in the EEPROM 
55 unit 50 was generated in the same way as the license key Ik generated in the DVD player 1 at the step S215, the 
license key Ik" generated by the personal computer 2 at the step S222 has the same value as the license key Ik' 
generated in the DVD player 1 at the step S217. That is to say, the following equation holds true: 
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Ik' = Ik" 

As a result, the sink side session key sk' resulting from the decryption of the encrypted source side session key e 
s carried out by the personal computer 2 at the step S223 has the same value as the source side session key sk generated 
by the DVD player 1 at the step S218. That is to say, the following equation holds true: 

sk' = sk 

10 

By changing the license key Ik' used for encrypting the source side session key sk from time to time before trans- 
mitting the key sk to the sink, it is less to be feared that the encrypted source side session key sk transmitted to the 
sink can be decrypted by an unauthorized person who knows a fixed license key by any chance. 

In the embodiments described above, the DVD player 1 serves as a source while the personal computer 2 and 

is the optical magnetic disc apparatus 3 each serve as a sink. It should be noted that the description is not intended to 
* be construed in a limiting sense. That is to say, any arbitrary electronic apparatus can be used as a source or a sink. 
In addition, while the 1394 serial bus 11 is used as an external bus for connecting the electronic apparatuses 
" composing a data processing system to each other, the scope of the present embodiment is not limited to such em- 
bodiments. That is, a variety of buses can be used as an external bus and electronic apparatuses connected to each 

20 other by the external bus are not limited to those employed in the embodiments described above. Any arbitrary elec- 
tronic apparatuses can be used to compose the data processing system. 

It is also worth noting that a variety of programs consisting of instructions to be executed by CPUs are presented 
to the user through providing media such a magnetic disc, a CD-ROM disc and a network and can be used, if necessary, 
by storing the programs in a RAM unit or a hard disc incorporated in the electronic apparatus. 

25 According to an embodiment of a data transmitting apparatus as claimed in claim 1 , an embodiment of a data 

transmitting method as claimed in claim 10 and an embodiment of a recording medium as claimed in claim 41, com- 
putation of a first value Ik (or the so-called license key) is based on an ID received from other equipment and the 
apparatus' or the method's own ID (or the so-called service key used for identifying information to be processed or 
identifying a service for processing the information) as shown on the source side of the procedure of Fig. 4. As a result, 

30 the security of transmitted data can be improved for a reason described as follows. 

To put it in detail, the first value Ik is computed by the data transmitting apparatus or the data transmitting method 
by applying a predetermined method or a predetermined sub-method respectively to the ID received from other equip- 
ment and the apparatus' or the method's own ID. Key information sk is then generated and predetermined processing 
based upon the 1st value Ik is further carried out on the key information sk. Finally, a result e of the predetermined 

35 processing is transmitted to the other equipment. As a result, only valid other equipment is allowed to carry out pre- 
determined data processing, giving rise to an even improved security of the transmitted data. 

In addition, according to an embodiment of a data transmitting apparatus as claimed in claim 1, an embodiment 
of a data transmitting method as claimed in claim 10 and an embodiment of a recording medium as claimed in claim 
41 as well as an embodiment of a data receiving apparatus as claimed in claim 1 9, an embodiment of a data receiving 

40 method as claimed in claim 30 and an embodiment of a recording medium as claimed in claim 43, the 1st value Ik is 
computed by the data transmitting apparatus or the data transmitting method by applying a predetermined method or 
a predetermined sub-method respectively to the data receiving apparatus' or the data receiving method's own ID trans- 
mitted by the data receiving apparatus or the data receiving method and the data transmitting apparatus' or the data 
transmitting method's own ID. Key information sk is then generated by the data transmitting apparatus or the data 

45 transmitting method and predetermined processing based upon the 1st value Ik is further carried out on the key infor- 
mation sk by the data transmitting apparatus or the data transmitting method. Finally, a result e of the predetermined 
processing is transmitted to the data receiving apparatus wherein the result e of the predetermined processing is 
decrypted by the data receiving apparatus or the data receiving method by using a license key having the same value 
as the 1st value Ik. As a result, an information processing system offering an even higher security of transmitted data 

so can be implemented. 

In another embodiment implementing the information processing system described above as shown in Fig. 9, a 
first value H is computed by the data transmitting apparatus or the data transmitting method by applying a predetermined 
hash function to the data receiving apparatus' or the data receiving method's own ID transmitted by the data receiving 
apparatus or the data receiving method and the data transmitting apparatus' or the data transmitting method's own ID. 
55 Key information sk is then generated by the data transmitting apparatus or the data transmitting method and prede- 
termined processing based upon the 1 st value H is further carried out on the key information sk by the data transmitting 
apparatus or the data transmitting method. Finally, a result e of the predetermined processing is transmitted to the data 
receiving apparatus wherein the result e of the predetermined processing is decrypted by using two license keys LK 



23 



EP 0 874 299 A2 



and LK' provided to the data receiving apparatus or the data receiving method. The license keys LK and LK' are 
generated in advance typically by the author of information by using the predetermined hash function, a pseudo random 
number generating function pRNG, and the inverse function GM of a confusion function G. By also applying the 
pseudo random number generating function pRNG in the predetermined processing and the pseudo random number 

s generating function pRNG and the confusion function G in the decryption of the result e of the predetermined process- 
ing, the security of the transmitted data can be further improved for reasons described as follows. 

To put it in detail, in the other embodiment described above, the result e of the predetermined processing is obtained 
by encryption of the key information sk using a pseudo random number pRNG(H) obtained from the 1 st value H. As a 
result, the security of the transmitted data can be further improved by the more complicated processing. 

10 in addition, the aforementioned license key LK' provided to the data receiving apparatus or the data receiving 

method is computed in advance by applying the inverse function GM to a result R which is obtained by applying the 
pseudo random number generating function pRNG to the 1 st value H and the license key LK. As a result, an information 
processing system offering an even better security of transmitted data can be implemented through the use of the 
license key LK' derived from a more complex calculation in addition to the license key LK. 

15 

Claims 

1. A data transmitting apparatus wherein data is transmitted after predetermined processing based upon said appa- 
20 ratus'own ID code and an ID code received from other equipment has been carried out, said apparatus comprising: 

a storage means for storing said apparatus' own ID code; 

a reception means for receiving an ID code from other equipment; 

a 1st calculation means for calculating a 1st value by application of a predetermined method to an output of 
25 said storage means and an output of said reception means; 

a key information generating means for generating key information; 

an information processing means for carrying out said predetermined processing based upon said 1st value 
on said key information; and 

a transmission means for transmitting an output of said information processing means. 

30 

2. A data transmitting apparatus according to claim 1 wherein, in accordance with said predetermined method, a 
predetermined function is applied a predetermined number of times. 

3. A data transmitting apparatus according to claim 2 wherein said predetermined f unction is modified in accordance 
35 with said predetermined number of times. 

4. A data transmitting apparatus according to claim 3 wherein said predetermined function is a hash function. 

5. An encryption apparatus for carrying out encryption based on a predetermined key code, said apparatus compris- 
40 jng: 

a random number generator for generating a random number from an input value; 

a synthesis means for merging said random number output by said random number generator with input data 
to generate encrypted data; and 
45 a processing means for carrying out processing based upon said predetermined key code on said encrypted 

data output by said synthesis means and supplying an output signal to said random number generator as said 
input value. 

6. An encryption apparatus according to claim 5 wherein said processing means compares said encrypted data output 
so by said synthesis means with a predetermined value and changes a parameter used in said processing till said 

encrypted data output at said synthesis means becomes equal to said predetermined value. 

7. An encryption apparatus according to claim 5 further comprising a 2nd synthesis means for generating final en- 
crypted data by encryption of said encrypted data output by said synthesis means based on a 2nd key code. 

55 

8. A data transmitting apparatus according to claim 1 wherein, in accordance with said predetermined method, a 
predetermined function is applied and a random number is used in application of said predetermined function. 



:iD: <EP 0874299A2_I_> 



24 



EP 0 874 299 A2 



9. A data transmitting apparatus according to claim 8 wherein said predetermined function is a hash function. 

10. A data transmitting method whereby data is transmitted after predetermined processing based upon an own ID 
code and an ID code received from other equipment has been carried out, said method comprising the steps of: 

5 

reading out said own ID code from a storage means; 
receiving an ID code transmitted by other equipment; 

calculating a 1st value by application of a predetermined sub-method to said ID read out from said storage 
means and said ID received from said other equipment; 
io generating key information; 

carrying out said predetermined processing based upon said 1st value on said key information; and 
transmitting said key information completing said predetermined processing. 

11. A data transmitting method according to claim 10 wherein, in accordance with said predetermined sub-method, a 
is predetermined function is applied a predetermined number of times. 

12. A data transmitting method according to claim 11 wherein said predetermined function is modified in accordance 
with said predetermined number of times. 

20 13. A data transmitting method according to claim 12 wherein said predetermined function is a hash function. 

14. An encryption method for carrying out encryption based on a predetermined key code, said method comprising: 

a random number generating step of generating a random number from an input value; 
25 a data merging step of merging said random number with input data to generate encrypted data; and 

a data processing step of carrying out processing based upon said predetermined key code on said encrypted 
data generated at said data merging step and supplying an output signal to said random number generating 
step as said input value. 

30 15. An encryption method according to claim 14 whereby, at said data processing step, said encrypted data output at 
said data merging step is compared with a predetermined value and a parameter used in said processing is 
changed till said encrypted data generated at said data merging step becomes equal to said predetermined value. 

16. An encryption method according to claim 14 whereby final encrypted data is generated by encryption of said 
35 encrypted data generated at said data merging step based on a 2nd key code: 

17. A data transmitting method according to claim 10 whereby, in accordance with said predetermined sub-method, 
a predetermined function is applied and a random number is used in application of said predetermined function. 

40 18. A data transmitting method according to claim 17 wherein said predetermined function is a hash function. 

19. A data receiving apparatus for decrypting data received from other equipment by decryption based on said appa- 
ratus' own key and information received from said other equipment, said apparatus comprising: 

45 a storage means lor storing said apparatus* own key; 

a reception means for receiving data and information from other equipment; and 

a decryption means for decrypting an output ol said reception means by using an output of said storage means 
as a base. 

so 20. A data receiving apparatus according to claim 1 9 wherein a judgment as to whether or not said apparatus' own 
key satisfies a predetermined condition is formed and predetermined processing is carried out on said apparatus' 
own key till said apparatus' own key satisfies said predetermined condition. 

21. A data receiving apparatus according to claim 20 wherein: 

55 

said predetermined condition is judged to be satisfied by said apparatus's own key if the number of times said 
predetermined processing is carried out on said apparatus' own key is equal to a predetermined value included 
in data received from other equipment; and 
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said predetermined processing is carried out on said apparatus' own key by applying a predetermined function 
to said apparatus' own key while incrementing the number of times said predetermined function is applied to 
said apparatus' own key. 

s 22. A data receiving apparatus according to claim 20 wherein: 

said predetermined condition is judged to be satisfied by said apparatus's own key if a result of decryption of 
data received from other equipment is correct; and 

said predetermined processing is carried out on said apparatus' own key by applying a predetermined function 
10 to said apparatus' own key. 

23. A data receiving apparatus according to claim 21 wherein said predetermined function is a hash function. 

24. A data receiving apparatus according to claim 22 wherein said predetermined function is a hash function. 

15 

25. An encrypted data decrypting apparatus for carrying out decryption of encrypted data based on a predetermined 
key code, said apparatus comprising: 

a random number generator for generating a random number from an input value; 
20 a synthesis means for merging said random number generated by said random number generator with input 

data to generate a clear text; and 

a processing means for carrying out processing based upon said predetermined key code on said input data 
and supplying an output signal as said input value to said random number generator. 

25 26. An encrypted data decrypting apparatus according to claim 25 wherein said processing means compares said 
input value with a predetermined value and changes a parameter used in said processing till said input data be- 
comes equal to said predetermined value. 

27. An encrypted data decrypting apparatus according to claim 25 further comprising a 2nd synthesis means for gen- 
30 erating said input data by decryption of said encrypted data based on a 2nd key code. 

28. A data receiving apparatus according to claim 1 9 wherein said decryption is application of a predetermined function 
and a random number is used in said application of said predetermined function. 

35 29. A data transmitting apparatus according to claim 28 wherein said predetermined function is a hash function. 

30. A data receiving method for decrypting data received from other equipment by decryption based on an own key 
and information received from said other equipment, said method comprising the steps of: 

40 reading out said method' own key from a storage means; 

receiving data and information from other equipment; and 

decrypting said data by using said key and said information as a base. 

31. A data receiving method according to claim 30 wherein a judgment as to whether or not said method" own key 
45 satisfies a predetermined condition is formed and predetermined processing is carried out on said method' own 

key till said method' own key satisfies said predetermined condition. 

32. A data receiving method according to claim 31 wherein: 

50 said predetermined condition is judged to be satisfied by an own key if the number of times said predetermined 

processing is carried out on said own key is equal to a predetermined value included in data received from 
other equipment; and 

said predetermined processing is carried out on said method' own key by applying a predetermined function 
to said method' own key while incrementing the number of times said predetermined function is applied to said 
55 method' own key. 

33. A data receiving method according to claim 31 wherein: 
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said predetermined condition is judged to be satisfied by an own key if a result of decryption of data received 
from other equipment is correct; and 

said predetermined processing is carried out on said method' own key by applying a predetermined function 
to said own key. 

5 

34. A data receiving method according to claim 32 wherein said predetermined function is a hash function. 

35. A data receiving method according to claim 33 wherein said predetermined function is a hash function. 

io 36. An encrypted data decrypting method for carrying out decryption of encrypted data based on a predetermined key 
code, said method comprising: 

a random number generating step of generating a random number from an input value; 
a random number merging step of merging said random number with input data to generate a clear text; and 
is a processing step of carrying out processing based upon said predetermined key code on said input data and 

supplying an output signal to said random number generating step as said input value for generating said 
random number. 

37. An encrypted data decrypting method according to claim 36 wherein, in said processing, said input value is com- 
20 pared with a predetermined value and a parameter used in said processing is changed till said input data becomes 

equal to said predetermined value. 

38. An encrypted data decrypting method according to claim 36 wherein said input data supplied to said random 
number merging step is generated by merging said encrypted data received from an external source with a 2nd 

2S key code. 

39. A data receiving method according to claim 30 wherein said decryption is application of a predetermined function 
and a random number is used in said application of said predetermined function. 

30 40. A data transmitting method according to claim 39 wherein said predetermined function is a hash function. 

41. A recording medium for recording a program prescribing a data transmitting method whereby data is transmitted 
after predetermined processing based upon an own ID code and an ID code received from other equipment has 
been carried out, said method comprising the steps of: 

35 

reading out said own ID code from a storage means; 
receiving an ID code transmitted by other equipment; 

calculating a 1st value by application of a predetermined sub-method to said ID read out from said storage 
means and said ID received from said other equipment; 
40 generating key information; 

carrying out said predetermined processing based upon said 1st value on said key information; and 
transmitting said key information completing said predetermined processing. 

42. A recording medium for recording a program prescribing a data transmitting method according to claim 41 wherein, 
45 jn accordance with said predetermined sub-method, a predetermined function is applied a predetermined number 

of times. 

43. A recording medium for recording a program prescribing a data receiving method for decrypting data received 
from other equipment by decryption based on an own key and information received from said other equipment 

so wherein said method comprises the steps of: 

reading out said own key from a storage means; 

receiving data and information from other equipment; and 

decrypting said data by using said key and said information as a base. 

55 

44. A recording medium for recording a program prescribing a data receiving method according to claim 43 wherein a 
judgment as to whether or not said method' own key satisfies a predetermined condition is formed and predetermined 
processing is carried out on said method' own key till said method 1 own key satisfies said predetermined condition. 
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(= hash (ID !! service key)). Subsequently, the DVD play- 
er generates a source side session key and encrypts 
the session key by using the generated license key. 
Then, the DVD player transmits the encrypted source 
side session key to the PC. The PC decrypts the en- 
crypted source side session key by using the license key 
stored in its EEPROM to produce a sink side session 
key which has a value equal to that of the source side 
session key. 
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